topic authorization object assigned to transaction does not work in Application Development and Automation Discussions

authorization object assigned to transaction does not work

Former Member — Fri, 01 Feb 2008 14:30:10 GMT

Dear ABAPers,

I created a transaction code reffering to SAP query program. This program should check authorization for company code. In the definition of the transaction (se93) I put F_BKPF_BUK authorization object and specified its fields values: ACTVT = '03', BUKRS = ' '. Because BUKRS is left empty, that means that it is to be read from users roles.

So, a user who has company code 1107 defined in the role should run the program, but not for company code 7000 (not defined in the role).

The problem is that the user can also run the program for this 7000.

I am realy confused and kindly ask you for help to solve the issue. It is an urgent matter ...

Thanks in advance and regards.

Rafal

Re: authorization object assigned to transaction does not work

Former Member — Fri, 01 Feb 2008 14:40:08 GMT

Hi,

I don't think the authoriation object in SE93 works as you expect.

The check works as follows, let's say you have object F_BKPF_BUK with values ACTVT = '03', BUKRS = '7000' in the check. The auth check will look in the user master for the object (F_BKPF_BUK) then the required values for activity and company code. If there's a match, the check is passed and things continue.

If you leave BUKRS blank then the value always passes the check.

Regards,

Nick

Re: authorization object assigned to transaction does not work

Former Member — Fri, 01 Feb 2008 15:51:27 GMT

but nonetheless you can achieve your goal: got to tx. SU24 and type in the name of your transaction. then you can show/add values that should be checked when your transaction is run. in your case you might want to consider assigning F_BKPF_BUK in SU24 to be checked in the runtime of your transaction and leave the checking for S_TCODE to SE93.

of course you would have to create a role which has your transaction code in it (you can also use an existing role). SU24 will now take care that F_BKPF_BUK is added to the authorization values in that role and you can adjust it as needed.

Re: authorization object assigned to transaction does not work

Former Member — Mon, 04 Feb 2008 09:06:54 GMT

So it looks like in se93 I can only set authorization check only for one authorization object with specified fields values (empty field means accept all values). For example, if there is a role that is defined to accept ACTVT = '03' and BUKRS = 1107, 2007, 2009 of authorization object F_BKPF_BUK, I can only specify for my transaction in se93 one of these BUKRS values, ie. 1107 or 2007 or 2009. I think this is the same with su24 ...

How can I check authorization in a SAP query for cc, then? I think the only reasonable way is to put ABAP statement AUTHORITY-CHECK in the code of the query. Well, I tried this way:

I use a query for which an infoset is already defined. In the infoset (sq02) I need to code authorization check statement. It is company code value to be checked. An input field for cc is a select-option in the selection screen.

The query program starts with:

report AQT6ZR00005SRI==M5_1==========.

include /1BCDWB/IQ000000000005DAT.

data %dtab type standard table of /1BCDWB/IQ000000000005 with header line.

data %subrc type sy-subrc.

include /1BCDWB/IQ000000000005SSCR.

In /1BCDWB/IQ000000000005SSCR include I have the select-options defined:

selection-screen begin of block qsel

with frame title text-s02.

select-options SP$00001 for REGUH-ABSBU.

select-options SP$00003 for REGUH-LAUFD.

select-options SP$00004 for REGUH-LAUFI.

select-options SP$00005 for REGUH-VBLNR.

select-options SP$00006 for REGUH-IDOC_NUM memory id DCN.

select-options SP$00007 for REGUH-RZAWE.

selection-screen end of block qsel.

So, I am interested in SP$00001 that contains company code range. I am trying to put an additional code into infoset (sq02->Extras->Code). The code looks like this:

'DATA' block

TABLES: t001.

'AT SELECTION-SCREEN OUTPUT' block

SELECT * FROM t001 WHERE bukrs IN SP$00001.

AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'

ID 'BUKRS' FIELD t001-bukrs

ID 'ACTVT' FIELD '03'.

IF sy-subrc NE 0.

MESSAGE e000(zz) WITH 'No authorization for company code' t001-bukrs '!'.

ENDIF.

ENDSELECT.

The problem is, when I do syntax checking, I got an error:

The IN operator with "SP$00001" is followed neither by an internal table nor by a value list.

It looks like I have no access to the SP$00001 from my additional code. Please, advice me how to program the auth-check using company code values from SP$00001 ?

Thanks in advance.

P.S. By the way: I have no idea what $ means in the select-options names.