topic Re: want to add authorization object to su01. in Application Development and Automation Discussions

want to add authorization object to su01.

Former Member — Fri, 13 Feb 2009 08:37:12 GMT

Hi,

In SU01, i need to authenticate the object P_ORGIN while using SU01. but the object P_ORGIN doesn't belongs to SU01 authorized object.

How to make the object P_ORGIN to authenticate while using SU01. ( i mean authorize P_ORGIN for SU01 ).

Thxs

Lee

Re: want to add authorization object to su01.

gaursri — Fri, 13 Feb 2009 08:48:05 GMT

Hi Lee,

Whatever changes we want to do in the authorization code is done through transaction.They are SU20 and SU21.So please try to maintain the authority using these two tcodes.The table may be needed to check the entry parameter for the parameter you want to set authorization for.For this need please check the table TSTCA.Hoping you will be able to resolve your query.

Have a best day ahead.

Re: want to add authorization object to su01.

jurjen_heeck — Fri, 13 Feb 2009 08:56:46 GMT

Please stop posting irrelevant answers in this forum. SU20 and SU21 are not going to help OP, nor is table TSTCA.

To get extra authority-checks in a transaction you actually need to change the program code. A lot of programs have enhancement points or user exits where custom code (with extra authority-checks) can be implemented

Can you tell us more about your requirements? What kind of result do you expect from this extra check?

Re: want to add authorization object to su01.

Former Member — Fri, 13 Feb 2009 09:36:40 GMT

Hi Srivastava,

he i correct, because same scenario i used su20 and su21. finally it led to inconsistance oject and not able to use that object related t.code.

thorw lot of error ....

My requirement is ...

we are doing LSO Project ( learning solution ).

the Auth. Object is P_orgin is used in PA30 for

contact centre code.

The admin of contact centre, can reset the password or lock/unlock their centre candidate only.

He doesn't have authorization to reset the password or lock the other contact centre candiate, if we provide the Object P_origin with SU01 authorization object.

I need the object to be added with SU01 authorzation object. So that SU01 will check the contact centre code also while reset the password of their centre.\

-- Lee

Re: want to add authorization object to su01.

Former Member — Fri, 13 Feb 2009 09:40:13 GMT

Hi,

There are two ways of doing this, you can add the authorization object manually in the profile of the role you are creating, but this would be a temproary measure.

If you want p_orgin to be checked every time you create a role contaning transaction su01, you need to to add this object to SU01 using SU24. You will need to enable the flag to Check/Check Maintained depending on the version you are using.

If you have any further queries let me know

Regards,

Chinmaya

Re: want to add authorization object to su01.

jurjen_heeck — Fri, 13 Feb 2009 10:04:29 GMT

I do not know how many centre's we're talking about and how often people move around from one centre to another. If the amount of centres is limited you could consider assigning the members to user groups for authorization.

With that you can easily authorize user maintenance.

Otherwise you may want to talk to an ABAPer to see if there are customer exits or enhancement points in the program for SU01.

Re: want to add authorization object to su01.

Former Member — Fri, 13 Feb 2009 10:31:14 GMT

as per prakash, i did. but it won't wok. but the object is added to su01.

We are not using any user group. we have some groups. but functional it is not used by our consultant.

any other possible ?????

Re: want to add authorization object to su01.

Former Member — Fri, 13 Feb 2009 10:33:29 GMT

Hi Lee,

What are the value of P_ORGIN that you want to check with SU01? Have you classiefied those in SU24?

Regards,

Chinmaya

Re: want to add authorization object to su01.

jurjen_heeck — Fri, 13 Feb 2009 10:38:57 GMT

> as per prakash, i did. but it won't wok. but the object is added to su01.

There is no way to enforce extra authorization checks without adapting the program code.

For your other question about user groups, I am trying to find out if those can be of help. From one of your other posts:

>The admin of contact centre, can reset the password or lock/unlock their centre candidate only.

How many centres do you have, and how often do candidates change centre?

Re: want to add authorization object to su01.

Former Member — Fri, 13 Feb 2009 11:06:22 GMT

Hi Jurjen,

p_orgin is defined as an authorization object for su01 in usobx. If lee wanted to use an authorization object not linked with su01 in usobx only than would he require an Authority-Check programmed in a user exit.

Lee,

waht does the check flag field in table usobx_c have for value of SU01->P_ORGIN combination

Regards,

Chinmaya

Re: want to add authorization object to su01.

jurjen_heeck — Fri, 13 Feb 2009 11:22:48 GMT

> p_orgin is defined as an authorization object for su01 in usobx.

I stand corrected. Didn't know that.

Now let's see what it's use is..... I'll get back on this one.

Re: want to add authorization object to su01.

Former Member — Sun, 15 Feb 2009 09:32:50 GMT

In the special case of transaction SE93's "authorization" field, it is possible to add additional authority-checks to the transaction (namely, at transaction start only) without adding an additional authority-check statement to the coding. These additional checks can be usefull for minimum use "sanity checks" when starting the tcode and are only really meaningfull for activity type of fields and possibly config-related stuff (such as an account type, etc). But that would not provide the granularity which is sought here, as an org level type of field does not make sense when it is only checked upfront in the transaction and not when using the transaction.

What the "Check" objects in SU24 mean, you first need to understand where they come from via SU22. See this thread ( ) for a hint at it. The "Check" flag is an indicator that a transaction context has the capability of checking a certain object, and is in no way information that the transaction needs it to be used (these would be the "Proposal" fields, if that is the case like it is for example with S_USER_GRP).

My guess would be that during application testing of RHPROFL0 for assigning roles, changing validities, self-registration, etc, the P_ORGIN check turns up in a call from some routine which is recognized as being a functional part of transaction SU01 or SU01_NAV, but while accessing InfoType 0105 would have the capability of checking P_ORGIN.

So, it would be "optional" => "Check" only, otherwise the negative testing would not have been successfull in the original SAP development system.

Cheers,

Julius