Workcenter wise Authorization Checking in CO11N T.Code

Similar Messages

• How to Project Code wise Authorization.

  Hi,
  i want to give project code wise authorizations to users. in
  authorization we can give only total project code
  Full/Readonly/No Authorizations. A user only he want to see 
  Project Code Hyd. remaining project code he want see in all
  the documents. for documnet numbering we have option
  Grouping  like this is there any option to prevent projec code to
  users.
  reds,
  samapth.

  It is possible to do through SDK. although on a rather large scale. You need to establish an UDO idientify the userid with multiple project code, or project code with mulitple user ID. Then all the project code drop down inside SBO will need to be replaced by SDK to show only the project associated with current log in user id. To make it more complete, you need to establish error message in the SP_transactionnofication to hold the document if project code used (as they can still manually type in) is not usable by them!

• How add Authorization check for user with assigened role for t.code-MIR4

  Hi All,
  Regarding authorization how to check authorizations check for user whith assigned roles for the t.code MIR4  using ABAP.
  In Detail:2)     All users are allowed to go to MIR4(invoice number), But ONLY for users with role: MM_RELEASE_INVOICE can proceed to do the posting.
  suggest me...
  Thanks,
  srii..

  Hi Sri ,
  first u need to find out  in which user rules u are using this object , after that if u want to restrict users then remove create/change values from that object values .
  make use of Tcode SUIM to find out all roles which are using this Object.
  or
  ask ur basis guy to remove authorizations to create/change....
  regards
  Prabhu

• Authorization-check and Match code

  Hi
  How do we declare authorization check?Plase provide me  syntax?
  does match code relates to it?
  Thanks in advance.

  Hi RK,
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  AUTHORITY – CHECK OBJECT <object name>
                ID <name1> FIELD <f1>
                ID <name2> FIELD <f2>
                IF SY-SUBRC NE 0.
  For Matchcode (which is now called Search help) go to the link
  http://help.sap.com/saphelp_nw04s/helpdata/en/c9/83eb02be4c11d1950200a0c929b3c3/content.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/cf/21ee93446011d189700000e8322d00/content.htm
  Reward points if this helps.
  Manish

• Authorization check for select-options field - Company code.

  Hi experts,
  i have company code field on the report selection screen and i have to validate the authorization check for BUKRS.
  How to do authorization check for a select-options field?
  Any function modules used to write the authorization check for a SELECT-OPTIONS FIELD?
  Thanks.

  >
  RNB wrote:
  > Any function modules used to write the authorization check for a SELECT-OPTIONS FIELD?
  Does it hurt to type a few lines of code? Why do you need an FM for this my friend?
  Anyways can you please tell which SAP application area (viz. FI, SD etc.) do you want to run the report?
  Suhas

• Authorization check For T code

  Hi everyone,
  Can anybody guide to set a  authorization check  for a particular Tcode.
  I have ztable where users are assigned particular numbers.
  I want the users who are assigned some numbers should be able to use this particular t code
  Thanks in advance

  hi
  chk this out
  AUTHORITY-CHECK
  Basic form
  AUTHORITY-CHECK OBJECT object
      ID name1  FIELD f1
      ID name2  FIELD f2
      ID name10 FIELD f10.
  Effect
  Explanation of IDs:
  object
  Field which contains the name of the object for which the authorization is to be checked.
  name1 ...
  Fields which contain the names of the
  name10
  authorization fields defined in the object.
  f1 ...
  Fields which contain the values for which the
  f10
  authorization is to be checked.
  AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).
  You must specify all authorizations for an object and a also a value for each ID (or DUMMY).
  The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.
  If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.
  If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.
  The return code value changes according to the different error scenarios. The return code values have the following meaning:
  4
  User has no authorization in the SAP System for such an action. If necessary, change the user master record.
  8
  Too many parameters (fields, values). Maximum allowed is 10.
  12
  Specified object not maintained in the user master record.
  16
  No profile entered in the user master record.
  24
  The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
  28
  Incorrect structure for user master record.
  32
  Incorrect structure for user master record.
  36
  Incorrect structure for user master record.
  If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.
  Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.
  Note
  Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.
  The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.
  Example
  Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:
  Table OBJ: Definition of authorization object
  M_EINF_WRK
     ACTVT
     WERKS
  Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations
  M_EINF_WRK_BERECH1
     ACTVT 01-03
     WERKS 0001-0003 .
  can display and change plants within the Purchasing and Materials Management areas.
  Such a user would thus pass the checks
  AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
      ID 'WERKS' FIELD '0002'
      ID 'ACTVT' FIELD '02'.
  AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
      ID 'WERKS' DUMMY
      ID 'ACTVT' FIELD '01':
  but would fail the check
  AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
      ID 'WERKS' FIELD '0005'
      ID 'ACTVT' FIELD '04'.
  To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK

• Forcing Authorization for a transaction code without authorization check in

  Transaction code 'PP02' has an authorization object P_TCODE. So when a user who does not have authorization to transaction 'PP02' tries to execute it from command prompt, the SAP system appropriately restricts user saying "You have no authorization".
  However, If Ia program has  "Call transaction" verb calling this transaction and if the restricted user runs this report or module program, it does not restrict the user to access the transaction.
  Is there any way to restrict user to access the transaction from program without explicitly doing authorization check from within the program?
  Jitendra Mehta

  Hi Florin:
  S_TCODE restricts the user only at command prompt level, not if you run the transaction for program using "CALL TRANSACTION" verb.
  If we assign auth.object P_TCODE with some other transaction values (not one for which we want to restrict), then the authority check works for the above.
  But say, if I have no other transaction code values to be assigned to auth. object P_TCODE for the restricted user ( therefore, obviously I don't assign auth. object P_TCODE to any auth. profile for the restricted user) then again, I am out of luck.
  The only way, I have seen this working is to assign value space ( ' '  ) to auth. object P_TCODE and then assign this auth.object to one of the auth. profiles of the restricted user, BINGO!, then it works.
  But our Authorization team has an objection saying "We assign the transactions ( to auth. object ) which the user should have access. It is not  proper to assign a no value to auth. object ( assigning space value ) "
  I do not know how much merit their argument has, however, I was wondering if there is another way I could achieve it without relying on tens of hundred of programs doing auth. checks whenever they call the restricted transaction.
  Please let me know your thoughts.
  Thanks.
  Jitendra Mehta

• Authorization check (compagny code)

  Hi,
  For one user I'm trying to seperate access on two company codes:
  -For company Code A: User1 should be able to modify only Accounting Documents (Customers and Vendors)
  -For company Code B: User1 should be able to modify only Accounting Documents (G/L accounts)
  Does any one knows how can I separate such access for the same user.
  Thanks
  Kamel
  Edited by: Kamel Souilah on Dec 1, 2009 10:56 PM

  Thank you Julius for your reply,
  Most of the Tcodes used in this scenario are validating their authorization checks on the same objects. Hard to limit access using those objects. It could be feasible if F_BKPF_KOA has the field company code BURKS.
  I have to explore your suggestion regarding the subledgers so if you have more details about that point it would be appreciated.
  Thanks
  Kamel

• Deactivate authorization checks in BSP or function modules?

  Hi all
  I have a BSP application that seems to use a standard function module that performs an unwanted authorization check on object M_MATE_VKO (Material check on sales organization)
  I know it is possible to globally deactivate authorization checks in certain SAP transactions (SU24)
  Does anyone know if there is a similar functionality for BSP applications or function modules? Any suggestions on how to deactivate such authorization checks in BSP applications?
  Regards
  Mike

  > I will also check with my developer if this function module has any return codes etc that can be useful for a custom authorization check. However, I thought these checks were all done within the function module and that it will only return a true/false authorization, sort of... and I am not sure it's a good idea to override all standard authorization checks in this function module
  Sometimes you can handle the messages, but your developer will be able to help you decide whether that is a good idea or not.
  Globally deactivating the object for the whole system is most likely not a good idea, as you seem not to want to grant it because you need it somewhere else...
  Deactivating all checks for the function module is probably not wise either, as I would think that it applies to the whole function group. Developers can do such things sometimes, but often it results in all end users being able to do the same.
  I know that proposal indicators can be set for function modules, but have not tried check indicators. Again, I suspect that it would apply to the whole function group.
  I would think that a carefull choice of function module and consulting with your functional guru about config which will not interfer with other requirements is the best route to take.
  I like threads like this. If I bump into a specific solution I will remember it. Try using the search here at SDN on the names of some of the FM's which you are considering - someone might already have solved it...
  Cheers,
  Julius

• Release Strategy (EBAN-FRGST) in PR authorization check

  Hi,
  Do you know if it is possible to make release strategy (EBAN-FRGST) in authorization check of purchase requisition, other than release code & release group?
  Thanks.

  Hi,
  It's possibile though user exist to control the department wise, please consult your ABAP

• Supress authentication check from within ABAP code

  Hi,
  we want all users to update their email-address in their own sap profile. (a self service)
  By default, in the screen "System"->"User Profile"->"Own Data", he can update all except his email-id.
  For this, we have written an abap report.
  DATA: p_smtp TYPE TABLE OF bapiadsmtp WITH HEADER LINE,
        p_return TYPE TABLE OF bapiret2 WITH HEADER LINE,
        p_addressx TYPE bapiaddr3x.
  data: p_uname TYPE xubname.
  PARAMETERS:   p_email TYPE ad_smtpadr OBLIGATORY.
        p_uname = sy-uname. "logged in user
        p_smtp-e_mail = p_email.
        p_smtp-std_no = 'X'.
        p_smtp-home_flag = 'X'.
        p_smtp-consnumber = '001'.
      p_addressx-e_mail = 'X'.
      CALL FUNCTION 'BAPI_USER_CHANGE'
        EXPORTING
          username = p_uname
          addressx = p_addressx
        TABLES
          return   = p_return
          addsmtp  = p_smtp.
  when we execute this report, with all rights, it works fine.
  but a normal user when he executes, he is getting this error:
  "You are not authorized to change users in group"
  the su53 screen shows:
     Authorization check failed
    Object Class BC_A Basis: Administration
      Authorization Obj. S_USER_GRP User Master Maintenance: User Groups
        Authorization Field ACTVT Activity
                                                                                  02
        Authorization Field CLASS User group in user master maintenance
                                                                                  <Dummy>
  the point here is we cannot add User Maintenance rights to all our normal users.
  is there any way, within the report (code) we can suppress the authentication check, programatically just while calling 'BAPI_USER_CHANGE', so that the user will be able to update his email-id.
  thanks in advance,
  Madhu_1980

  Here are 2 useful links:
  http://www.sapdev.co.uk/fmodules/fms_updateaddress.htm
  Updating email address in SU1/SU3
  If these don't help the noly thing I can suggest is that you write your own bdc program.
  Regards,
  Warren.

• Create authorization check for a report

  Hi,
  I need to create an authorization check for a report. It means that I need to restrict the usage of the report to couple of users ( 'USER1' and 'USER2' ). How can I do that? I did read through a lot of threads regarding this piece got a bit confused and stuck while creating the authorization object.
  Say the report name is ZHR_TIMEABC.
  Can anyone explain how to create an authorization object and how are they tied to the object and call them in the abap code?
  Thanks in advance,
  VG

  Hi,
  Thanks. Here is my understanding, S_C_FUNCT calls a system generated function module to make an authority check. So, if different users say USER1 and USER2 have different authroization levels, defined in their user profile, just adding this piece code will take care of authroization check for the program OR do I need to take care of something else?
  If so, when do we need to create the authorization objects using SU20 and assign the group and follo this process? When do we use this approach ( lot of threads on authority check have mentioned this procedure)?
  Your inputs will be helpful to understand this concept.
  Thanks,
  VG

• Add authorization check in Infopackage Scheduler for option 6-ABAP Routine

  We want to add an authorization check in routine rssm_routines_maintain.    This is in the Infopackage scheduler in the Data Selection tab  under the column Type after selecting type=6(ABAP Routine).    This is a core modification.   We have checked with our Security team with traces and found nothing available to help us.
  Two questions:
  1) Is there any other way we can control who can create/change ABAP code by this method ?
  2) Does anyone see this causing problems if we were to make a change to the routine to add code to do an authorization check.
  Your help would be appreciated.
  Robert Begin,
  450-677-9411 or
  514-924-4311
  or email at [email protected]

  Hi Chandran,  we need to restrict a certain group of BW Developers from writing code in the abap routine (option 6 ) in the Infopackage of the Data Selection Tab in column Type.
  The concern is that if having access to write abap code, a person can practically do as heéshe pleases with ABAP code and it is a concern.
  Do you have any solution/suggestions to lock this down?
  Much appreciated,
  Regards,
  Robert.

• Authorization check

  Hi ,
  i new to authorization so i need help ,
  i go to transaction SU21 and i choose some object for example:
  Object R_CPM_BSC
  Text Authorization Object SEM: BSC Elements
  Class SEM Strategic Enterprise Management*
  Author STASTNY
  Field name Heading
  SEMSCARD Scorecard
  SEMOBJTYPE Scorecard Elements: Object Type
  SEMOBJKEY Scorecard Elements: Object Key
  ACTVT Activity
  And when i push on permitted activities i get:
  R_CPM_BSC Authorization Object SE
  ACTVT Activity
  activists
  01 Create or generate
  02 Change
  03 Display
  04 Print, edit messages
  1. i have always just permitted activities for ACTVT ?
  if i wont that user just have display Authorization how i have to write it like below?
  AUTHORITY-CHECK OBJECT R_CPM_BSC
  ID ACTVT FIELD '03'
  thats it i don't use the other fields?
  Regards

  Hi,
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Thanks
  Vikranth

• Section Wise Authorization for automatic payment (F110)

  Hi SAP Gurus,
  Our client wants Section Wise authorization on Automatic Payment (F110). That is User A is authorized to make payments for the vendors which have open line items which has section XX. While User B is authorized to make payments for that particular vendors which have open line items which has section YY.
  While execution F110 by User A, system will make payment for all those open items which has section XX. But, when User B is executing F110, system will make payment for all those open items which has section YY.
  Please guide, how to achieve the results.
  Points will be awarded
  Regards
  Rajesh Gupta

  While executing F110, you can choose BSEG-SECCO in 'Field Name' field in 'Free Selection' tab and enter particular values for this field in Values field, i.e. XX or YY.  That way, you can segregate payments.  As far as authorization issue goes, check with your security consultant if particular users can be given authorization for F110 transactions for particular values of BSEG-SECCO field; I am sure this can be done in user authorization profile by the Security Team.