topic Re: set the authorisation in Application Development and Automation Discussions

set the authorisation

Former Member — Thu, 06 Dec 2007 08:54:38 GMT

where do this authority-check actually checks for the authorisation that is in which table....

if i want to change the authorisation values how do i set the authorisation through program.

Re: set the authorisation

former_member195698 — Thu, 06 Dec 2007 08:58:49 GMT

For giving an authorization to some user for an authorization object you have to use PFCG transaction or through SU01. Contact the Basis Consultant in your team for giving authorization.

SAP will store the authoriation in the form of RAW data so you will not be able to read it from any table.

Re: set the authorisation

Former Member — Thu, 06 Dec 2007 09:54:05 GMT

we dont have access for SU01 or to make changes in PFCG

anyways, but where s ths authority-check actually looks up for the comparison

Re: set the authorisation

Former Member — Thu, 06 Dec 2007 09:57:26 GMT

SU01 or to make changes in PFCG

Re: set the authorisation

Former Member — Thu, 06 Dec 2007 09:59:10 GMT

Hi,

u have to change the authorization values from PFCG only.thruough tables we cannot change.

rgds,

bharat.

Re: set the authorisation

Former Member — Thu, 06 Dec 2007 10:05:59 GMT

Hi Varalakshmi,

You can change the authorization values from PFCG .You cannot set the authorisation through program.

Please do reward if useful.

Thankx.

Re: set the authorisation

former_member386202 — Thu, 06 Dec 2007 10:10:06 GMT

Hi,

Refer this code

FORM sub_check_auth_iwerk .

--Constant for t code, no tcode hence value = '' (all)

CONSTANTS: lc_tcd LIKE tstc-tcode VALUE '*'.

*--Table for all the plants in selection screen. This

table will be used for authority check.

DATA: BEGIN OF li_plant OCCURS 0,

iwerk LIKE t001w-werks,

END OF li_plant.

*--Select query to pick plant from table t001w

SELECT werks "Plant

INTO TABLE li_plant

FROM t001w

WHERE werks IN s_iwerk.

LOOP AT li_plant.

AUTHORITY-CHECK OBJECT 'I_SWERK'

ID 'TCD' FIELD lc_tcd

ID 'SWERK' FIELD li_plant-iwerk.

*--Check SUBRC

IF sy-subrc NE 0.

*--No Authorization for Plant

MESSAGE e016 WITH li_plant-iwerk.

ENDIF.

ENDLOOP. "loop at li_plant

ENDFORM. "sub_check_auth_iwerk

Regards,

Prashant

Re: set the authorisation

Former Member — Thu, 06 Dec 2007 10:11:23 GMT

Authorization can be provided

1) Transaction level: all transactions are maintained in profiles that are been added to user.

2) Object level: Authorizations are provided to each object that is been used all the list of objects with authorization restriction liek change,create and display are added to a profile that is been assigned to user.

3) structural authorization: This authorization is provided to organizational units in HR module. Organizational units with authorization types (create change display) are created as a role and assigned to individual user.

Depending upon your authorization level we can find the table.

Sirish

Re: set the authorisation

Former Member — Thu, 06 Dec 2007 10:12:08 GMT

AUTHORITY-CHECK

Basic form

AUTHORITY-CHECK OBJECT object

ID name1 FIELD f1

ID name2 FIELD f2

...

ID name10 FIELD f10.

Effect

Explanation of IDs:

object Field which contains the name of the object for which the authorization is to be checked.

name1 ... Fields which contain the names of the name10 authorization fields defined in the object.

f1 ... Fields which contain the values for which the f10 authorization is to be checked.

AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).

You must specify all authorizations for an object and a also a value for each ID (or DUMMY ).

The system checks the values for the ID s by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.

If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.

If the return code SY-SUBRC = 0, the user has the required authorization and may continue.

The return code is modified to suit the different error scenarios. The return code values have the following meaning:

4 User has no authorization in the SAP System for such an action. If necessary, change the user master record.

8 Too many parameters (fields, values). Maximum allowed is 10.

12 Specified object not maintained in the user master record.

16 No profile entered in the user master record.

24 The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.

28 Incorrect structure for user master record.

32 Incorrect structure for user master record.

36 Incorrect structure for user master record.

If the return code value is 8 or possibly 24, inform the person responsible for the program. If the return code value is 4, 12, 15 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP, since authorizations have probably been destroyed.

Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.

Note

Instead of ID name FIELD f , you can also write ID name DUMMY . This means that no check is performed for the field concerned.

The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.

Example

Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:

Table OBJ : Definition of authorization object

M_EINF_WRK

ACTVT

WERKS

Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations

M_EINF_WRK_BERECH1

ACTVT 01-03

WERKS 0001-0003 .

can display and change plants within the Purchasing and Materials Management areas.

Such a user would thus pass the checks

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' FIELD '0002'

ID 'ACTVT' FIELD '02'.

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' DUMMY

ID 'ACTVT' FIELD '01':

but would fail the check

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' FIELD '0005'

ID 'ACTVT' FIELD '04'.

To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK .

This will help u completely .

Re: set the authorisation

Former Member — Thu, 06 Dec 2007 15:01:02 GMT

i will put my question in this way,

our issue is for one particular user a report is not pulling the data, but for other users it is showing the output.

then we suspected that it would be a authorisation issue, since we asked that user to run SU53 after that report the result displayed like

for the object YEPME_WRKC

the werks value was set to DUMMY

arbpl value was set to 1000181

action value was set to DUMMY

the code was written like

AUTHORITY-CHECK OBJECT 'YEPME_WRKC'

ID WERKS 'DUMMY'

ID ARBPL FIELD ITAB-FIELD1

ID ACTION 'DUMMY'

our concern is why the arbpl value is displaying as 1000181 instead of the value maintained in the roles, then we got the point is like it is not the arbpl value but the objid for the authorisation value maintained in CRHD table

actually the SU53 gets the value from some memory which is getting populated from the tcode that is been executed previously , then i tried to change the value of arbpl by set parameter id and the USR07 table also got updated with all those values

even after the USR07 table has been updated with a particular value say for example 'R16army' the authority-check statement should set the sy-subrc value as 4 if it checks for the object with the value other than 'R16army' but it is showing as like authorisation is there,where am i going wrong

will the SU24 will give me the solution

Re: set the authorisation

Former Member — Thu, 06 Dec 2007 15:20:30 GMT

helllo lakshmi,

on what you would need authorization.

if there is going to be a restriction in authorization, you may need to verify by using SU53.

call transaction SU53 and run your report to identify the authorization that is hindering. and compare with the users that are able to run the transaction.

then go to BASIS people to compare the roles and add the roles that are required.

if you need further clarification,

please reply,

Thanks and regards,

Naveena.

)

Re: set the authorisation

Former Member — Thu, 06 Dec 2007 22:53:40 GMT

hey naveena

how r u

photoslam supera irundhadhu

nalla enjoy panringala

actually my problem is even though i restrict the authorisation through SU53 say like in SU53 it displays for the object saying i have authorisation for only one workcenter,then when i run the report it should actually give me error saying i dont have authorisation fortheotherrite but it is not showing like that