topic Re: authorization objects in Application Development and Automation Discussions

authorization objects

Former Member — Wed, 24 Jan 2007 10:50:11 GMT

hello,

can any body help me what are authorization objects and how they are use full in abap

how they can be created

how to implement in my z-prog / z-tables etc.

Thanks

Mukesh

Re: authorization objects

Former Member — Wed, 24 Jan 2007 10:53:42 GMT

Hi,

Please check the following

http://help.sap.com/saphelp_nw04/helpdata/en/80/1a6859e07211d2acb80000e829fbfe/content.htm

http://www.sapsecurityonline.com/r3_security/r3_security_tips.htm

Re: authorization objects

Former Member — Wed, 24 Jan 2007 10:53:53 GMT

Hi Mukesh,

By using this authorization objectsm we restrict the userd not to use soem transaction code. and we might restrict the users not to use some data ..

see the below documantation

Authorization Check for Transactions

You can directly link authorization objects with transaction codes. You can enter values for the fields of an authorization object in the transaction maintenance. Before the transaction is executed, the system compares these values with the values in the user master record and only starts the transaction if the appropriate authorization exists.

Authorization Check for ABAP Programs

For ABAP programs, the two objects S_DEVELOP (program development and program execution) and S_PROGRAM (program maintenance) exist. They contains a field P_GROUP that is connected with the program attribute authorization group. Thus, you can assign users program-specific authorizations for individual ABAP programs.

Authorization Check in ABAP Programs

A more sophisticated, user-programmed authorization check is possible using the Authority-Check statement. It allows you to check the entries in the user master record for specific authorization objects against any other values. Therefore, if a transaction or program is not sufficiently protected or not every user that is authorized to use the program can also execute all the actions, this statement must be used.

AUTHORITY-CHECK OBJECT object

ID name1 FIELD f1

ID name2 FIELD f2

...

ID namen FIELD fn.

See the Simpel Program

REPORT demo_authorithy_check.

PARAMETERS pa_carr LIKE sflight-carrid.
DATA wa_flights LIKE demo_focc.

AT SELECTION-SCREEN.

  AUTHORITY-CHECK OBJECT 'S_CARRID'
                  ID 'CARRID' FIELD pa_carr
                  ID 'ACTVT' FIELD '03'.

  IF sy-subrc = 4.
    MESSAGE e045(sabapdocu) WITH pa_carr.
  ELSEIF sy-subrc <> 0.
    MESSAGE e184(sabapdocu) WITH text-010.
  ENDIF.

START-OF-SELECTION.

  SELECT  carrid connid fldate seatsmax seatsocc
    FROM  sflight
    INTO  CORRESPONDING FIELDS OF wa_flights
    WHERE carrid = pa_carr.

    WRITE: / wa_flights-carrid,
             wa_flights-connid,
             wa_flights-fldate,
             wa_flights-seatsmax,
             wa_flights-seatsocc.

  ENDSELECT.

Regards

Sudheer

Re: authorization objects

Former Member — Wed, 24 Jan 2007 10:56:13 GMT

authorization objects are ones which are used to check whether an user has access to an object or not. If the user has access he can use the object else he will be exited.

Now, the user needs to be assigned a role with the authorization object and associated fields.

in program u need to write as...

AUTHORITY-CHECK OBJECT '<authotiry object name>'

ID '<field name>' FIELD '<field value>'.

say authority object created as F_BKPF_BUP & field for T001B-BRGRU has 0001 & 0002.

the user has access to T001B-BRGRU = 0002.

now,

AUTHORITY-CHECK OBJECT 'F_BKPF_BUP'

ID 'BRGRU' VALUE '0001'.

User can't access object.

AUTHORITY-CHECK OBJECT 'F_BKPF_BUP'

ID 'BRGRU' VALUE '0002'.

User can access object.

Re: authorization objects

Former Member — Wed, 24 Jan 2007 11:05:21 GMT

Hi,

Authorisation objects are used to restrict certain transactions to users.Critical data must be protected from unauthorised users.For example,the head has access to certain data.But it cannot be accessed by his subordinate.For this we need to define roles.

•Create an authorization object with transaction SU21.

An object usually consists of the ACTVT (activity) field and one other field,which specifies the data type to be protected.By ACTVT, we can decide if the data is accessible for change,display only etc.

•Add authorization fields to the authorization object created.

•Assign the authorization object to the transaction using SE93.

Attach the authorization object to the role using transaction PFCG.

Regards,

Beejal

**Reward if answer is helpful

Re: authorization objects

Former Member — Wed, 24 Jan 2007 11:22:15 GMT

DEAR Sudheer,

THANKS A LOT,

THAT IS FINE , BUT

1 . HOW TO CREATE IT

2. WHO / HOW AND WHERE I FEED THAT FILEDS DATA ON USERS LEVEL

FOR EXP.

IF I WANT TO RESTRICT REPORT FOR A USER NOT TO RUN FOR PERTICULAR PLANT

tHANKS

MUKESH

Re: authorization objects

Former Member — Wed, 24 Jan 2007 11:50:56 GMT

thanks,

now if i create it and put it in t-code & in prog. and then what happen when

1. object not assign to user

2. object assign to user but revelant fileds data not assign to user

mukesh

Re: authorization objects

dhorions — Wed, 24 Jan 2007 11:53:14 GMT

Creation of authorisation objects can be done in se80.

If you open a package and right click you can choose create. Then select others, then authorization object.

You can create authorisation objects there and also add fields .

If you assign these authorisation objects to profiles in your roles (and limit these to certain values), users who have these roles have authorisation for these objects will have this authorisation, others won't.

In your report you can do the check for the authorisation object as shown in other replies in this thread.


AUTHORITY-CHECK OBJECT '<authotiry object name>'
ID '<field name>' FIELD '<field value>'.

I hope this helps,

Dries

Message was edited by:

Dries Horions

I see Beejal replied while I was typing this, transaction SU21 can indeed also be used to create authorisation objects.

Re: authorization objects

Former Member — Wed, 21 Mar 2007 10:53:32 GMT

Hello Mukesh,

Use the following code.

TABLES t001w.

SELECT-OPTIONS s_werks FOR t001w-werks.

PARAMETERS p_werks type t001w-werks.

data s_werk TYPE SD_WERKS_RANGES.

AT SELECTION-SCREEN.

APPEND LINES OF s_werks TO s_werk.

CALL METHOD zkltest=>validate_plant

CHANGING

so_werks = s_werk

p_werks = p_werks.

START-OF-SELECTION.

WRITE 'SUCCESSFUL'.

METHOD validate_plant.

DATA : l_flag TYPE c,

l_message TYPE string VALUE 'You are not Authorized to use the following Plants ',

wa_werks TYPE ty_werks,

i_werks TYPE STANDARD TABLE OF ty_werks.

IF so_werks IS NOT INITIAL.

SELECT werks FROM t001w "Do this only if Select-options is passes

INTO TABLE i_werks

WHERE werks IN so_werks.

elseif p_werks IS NOT INITIAL.

SELECT werks FROM t001w "Do this if Parameter is passed

INTO TABLE i_werks

WHERE werks = p_werks.

ENDIF.

LOOP AT i_werks INTO wa_werks.

AUTHORITY-CHECK OBJECT 'M_MATE_WRK'

ID 'ACTVT' FIELD '03'

ID 'WERKS' FIELD wa_werks-werks.

IF sy-subrc <> 0.

l_flag = '1'.

CONCATENATE l_message ', ' wa_werks INTO l_message.

ENDIF.

ENDLOOP.

IF l_flag EQ '1'.

CLEAR : so_werks,

p_werks.

MESSAGE l_message TYPE 'W'.

ENDIF.

ENDMETHOD.