topic Re: Doubt in Authorization in Application Development and Automation Discussions

Doubt in Authorization

Former Member — Tue, 29 May 2007 07:37:58 GMT

Hi All

I am very new to this topic.I have a piece of code with me...So tell me in a simple way what does it means....My doubts are

1. what is the use of Authorization-checks

2. In the below code what is OBJECT , ID and FIELD..What does it means..Tell me with a simple example...

3. Is there any other type of Authorization Checks...

AUTHORITY-CHECK OBJECT 'S_CARRID'

ID 'CARRID' FIELD pa_carr

ID 'ACTVT' FIELD '03'.

Proper answers Will Be Rewarded..

Thanks..

Re: Doubt in Authorization

Former Member — Tue, 29 May 2007 07:40:53 GMT

chk this

http://help.sap.com/saphelp_46c/helpdata/en/5c/deaa74d3d411d3970a0000e82de14a/content.htm

http://www.sapdevelopment.co.uk/security/authority/authhome.htm

Re: Doubt in Authorization

Former Member — Tue, 29 May 2007 07:44:01 GMT

AUTHORITY-CHECK

Basic form

AUTHORITY-CHECK OBJECT object

ID name1 FIELD f1

ID name2 FIELD f2

...

ID name10 FIELD f10.

Effect

Explanation of IDs:

object

Field which contains the name of the object for which the authorization is to be checked.

name1 ...

Fields which contain the names of the

name10

authorization fields defined in the object.

f1 ...

Fields which contain the values for which the

f10

authorization is to be checked.

AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).

You must specify all authorizations for an object and a also a value for each ID (or DUMMY).

The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.

If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.

If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.

The return code value changes according to the different error scenarios. The return code values have the following meaning:

User has no authorization in the SAP System for such an action. If necessary, change the user master record.

Too many parameters (fields, values). Maximum allowed is 10.

Specified object not maintained in the user master record.

No profile entered in the user master record.

The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.

Incorrect structure for user master record.

If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.

Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.

Note

Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.

The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.

Example

Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:

Table OBJ: Definition of authorization object

M_EINF_WRK

ACTVT

WERKS

Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations

M_EINF_WRK_BERECH1

ACTVT 01-03

WERKS 0001-0003 .

can display and change plants within the Purchasing and Materials Management areas.

Such a user would thus pass the checks

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' FIELD '0002'

ID 'ACTVT' FIELD '02'.

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' DUMMY

ID 'ACTVT' FIELD '01':

but would fail the check

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' FIELD '0005'

ID 'ACTVT' FIELD '04'.

To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK.

Re: Doubt in Authorization

Former Member — Tue, 29 May 2007 07:48:06 GMT

Thanks..Can U Give me a simple example also..So that i can understand the concept simply..,,,

Re: Doubt in Authorization

Former Member — Tue, 29 May 2007 07:49:35 GMT

What does the OBJECT Stands for...Where we are using this keyword actually..

Re: Doubt in Authorization

Nkrish — Tue, 29 May 2007 07:50:32 GMT

hi,

The Authorization checks are used to ensure that the user has proper authorizations.

e.g a developer can only use a particular transation if he / she has proper authorizations.

This can either be display(03), create(01), change(02) authorizations. There can be many more but the main are only these three.

Each authorization has an authorization object. each object has field for which authorizations can be given.

In the e.g that you have specified: For the field : pa_carr you only have display authorizations.

another example :

To check the authorization of the user of an ABAP program, use the AUTHORITY-CHECK statement:

AUTHORITY-CHECK OBJECT '<object>'

ID '<name1>' FIELD <f1>

ID '<name2>' FIELD <f2>

.............

ID '<name10>' FIELD <f10>.

This link gives you more explanations

http://www.geocities.com/SiliconValley/Grid/4858/sap/Basis/AuthIntro.htm

For more detailed explanation please go through these links:

http://help.sap.com/saphelp_47x200/helpdata/en/fc/eb3ba5358411d1829f0000e829fbfe/frameset.htm

http://help.sap.com/saphelp_47x200/helpdata/en/52/67167f439b11d1896f0000e8322d00/frameset.htm

Regards,

Narayani

Re: Doubt in Authorization

Former Member — Tue, 29 May 2007 07:52:25 GMT

1. what is the use of Authorization-checks: it's to check if the user can or can't do something.

Every user has a profile, the profile is constituted by authorization objects and they determine the area where the user can work.

2. In the below code what is OBJECT , ID and FIELD..What does it means..Tell me with a simple example...

OBJECT = The name of authorization object
ID           = The name of the field of the object
FIELD     = the value to be checked

For example the object F_BKPF_BUK is to define for wich company code a user can work.

This object has the followin fields:

BUKRS = Company Code

ACTVT = The activity code (what a user can do)

So if you want to know if a user can post a document for the company code AAAA:

AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
     ID 'BUKRS' FIELD 'AAAA'
     ID 'ACTVT'  FIELD '01'.
IF SY-SUBRC <> 0.
----trigger message error displaying the user can't post the document for company code AAAA
ENDIF.

U can see all objects by trx SU21

U can see the profile/role by trx PFGC

Max

3. Is there any other type of Authorization Checks...

AUTHORITY-CHECK OBJECT 'S_CARRID'

ID 'CARRID' FIELD pa_carr

ID 'ACTVT' FIELD '03'.

Re: Doubt in Authorization

Former Member — Tue, 29 May 2007 07:58:37 GMT

Thank you Max..........