topic Re: Custom Report Authorisation in Application Development and Automation Discussions

Custom Report Authorisation

Former Member — Thu, 06 Feb 2014 09:39:27 GMT

Hello,

We have a custom report and we want to restrict the export authorisations for it.

I defined a single role for this particular report and assigned it to a test user. The test user doesn't have assigned any other roles or profiles.

If I run the report and go to Export button I have there Send, Office and ABC Analys options. We don't want the Send option. We want to restrict it.

In the role authorisation data (PFCG) there is only the "Transaction Code Check at Transaction Start" authorisation.

In SU24 there is no authorisation assigned to the report transaction.

How can I find what authorisation we should restrict in this case?

Regards,

Daniela

Re: Custom Report Authorisation

ThomasZloch — Thu, 06 Feb 2014 10:33:39 GMT

My generic approach would be to activate the authorisation trace via ST01, run the activity that you want to restrict and study the trace results afterwards.

If there is any specific check for the activity, you would see the checked authorisation object in the trace and could build your role accordingly.

This question would probably better fit in the space.

Thomas

Re: Custom Report Authorisation

rosenberg_eitan — Thu, 06 Feb 2014 10:36:24 GMT

Hi,

Assuming that you are using cl_gui_alv_grid to show the result:

Based on AUTHORITY-CHECK you can use parameter IT_TOOLBAR_EXCLUDING in METHOD set_table_for_first_display .

DATA: it_toolbar_excluding TYPE ui_functions .

    APPEND cl_gui_alv_grid=>mc_fc_send      TO it_toolbar_excluding .
    APPEND cl_gui_alv_grid=>mc_fc_html      TO it_toolbar_excluding .
    APPEND cl_gui_alv_grid=>mc_fc_pc_file   TO it_toolbar_excluding .
    APPEND cl_gui_alv_grid=>mc_fc_call_abc TO it_toolbar_excluding .
    APPEND cl_gui_alv_grid=>mc_fc_call_xxl TO it_toolbar_excluding .
    APPEND cl_gui_alv_grid=>mc_fc_word_processor TO it_toolbar_excluding .

APPEND cl_gui_alv_grid=>mc_fc_to_office TO it_toolbar_excluding .

    CALL METHOD ob_gui_alv_grid_1->set_table_for_first_display
      EXPORTING
        it_toolbar_excluding = it_toolbar_excluding
        is_layout            = st_layout
        is_print             = st_print
        i_save               = 'A'
        is_variant           = gs_disvariant_1
      CHANGING
        it_sort              = it_sort
        it_fieldcatalog      = it_fieldcatalog
        it_outtab            = it_alv_grid_a.

Result

Regards.

Re: Custom Report Authorisation

nabheetscn — Thu, 06 Feb 2014 10:39:38 GMT

Authority check then delete options from via excluding tab

Re: Custom Report Authorisation

ThomasZloch — Thu, 06 Feb 2014 10:39:59 GMT


Assuming that you are using cl_gui_alv_grid to show the result:

Indeed, it would be good to know which ALV-technique is used, and even more important, custom reports only or also standard?

Thomas

Re: Custom Report Authorisation

former_member209818 — Thu, 06 Feb 2014 10:52:48 GMT

Hi Daniela,

Your requirement of finding the Authorization object is little Tricky. I could not find any specific SAP Provided Authorization object to meet your requirement. But Probably a custom Authorization Object can meet your requirement.

You design one Custom Auth Object with various activities you would like to handle thru it.

Then internally in the Program, you check this Auth Object and then call a custom GUI Status by excluding whatever function codes you want to exclude. This way you will be able to disable the unwanted Menu/Buttons on your ALV report after checking the granted Authorizations in your custom Auth Object

I hope this helps you !!

- harshad

Re: Custom Report Authorisation

Former Member — Thu, 06 Feb 2014 12:19:29 GMT

Hello Eitan,

Yes, the report uses cl_gui_alv_grid.

I'm not an abap programmer. The report is made by an former programmer from our company.

I was hopping there is a easy way.

I don't want to restrict the authorisation from the report code. It hope there is a solution via authorisation role.

Regards,

Daniela

Re: Custom Report Authorisation

rosenberg_eitan — Thu, 06 Feb 2014 12:38:02 GMT

Hi,

Well.... no body is perfect....(I do not know a LOT of things and I am older then you....)

As far as I know if you do not put some code to take into account the authorization object the whole authorization module is a
useless group of tables.

Regards.

Re: Custom Report Authorisation

Former Member — Thu, 06 Feb 2014 12:38:43 GMT

Hello Thomas,

Would have been better if I had started the discussion in the Security space. Now is a little bit late.

I activated the authorisation trace via ST01 and ran the activity but after that there is no trace result.

Regards,

Daniela

Re: Custom Report Authorisation

Sudhakargadde — Thu, 06 Feb 2014 12:59:02 GMT

Hi Butnar,

My suggestion is to go by CL_GUI_ALV_GRID code only why because, if you restrict some options based on the authorization, later an other report has these features then the user doesn't get the option so you need to write a logic in the program before calling the SET_TABLE_FOR _FIRST_DISPALY.

Regards

Sudhakar

Re: Custom Report Authorisation

Former Member — Thu, 06 Feb 2014 13:00:24 GMT

Hello again,

This is really silly.

I log off from the test user and log on again. Now I can see the Send option but I can't send it.

Only when I press the send button in the "Create Document and Send" screen - S000 TCode - I get the "You do not have authorization to send to Internet user address" error message.

Thank you for your answers.

Regards,

Daniela

Re: Custom Report Authorisation

Former Member — Tue, 11 Feb 2014 01:32:55 GMT

Please take the course ADM940 before asking further questions, or the D-I-Y course here on SCN by searching before asking questions.

Otherwise the forums are flooded by "how to" questions -> training and searching will answer questions very quickly.

Thread locked.

ps: If ABAP mods think that this can be caught in ABAP and made authorization relevant then let me know and I will unlock it. Please read the question carefully first... 😉

Sorry, did not realize that it was just a security tag to an ABAP question.

This has now been duplicate posted since, so I suggest locking thing thread.

Cheers,

Julius