https://community.sap.com/t5/application-development-and-automation-discussions/authorization-within-a-report/m-p/3390756#M814180 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>U need to insert a check for a authorization object of company code.</P><P></P><P>So now the problem is to understand if you can use a standard object (for example FI object) or you need to create a new one.</P><P></P><P>If you can use a std one you don't need to change the profile, if you can't do it, u need to change the profile in order to insert the new object.</P><P></P><P>Anyway in your program u have to insert the check of the object:</P><P></P><PRE><CODE>AUTHORITY-CHECK OBJECT 'F_BKPF_BUK' ID 'BUKRS' FIELD P_BUKRS ID 'ACTVT' FIELD '03'.</CODE></PRE><P></P><P>In my example I've used F_BKPF_BUK (it is the FI)</P><P></P><P>Max</P></BODY></HTML> Wed, 13 Feb 2008 15:36:32 GMT Former Member 2008-02-13T15:36:32Z https://community.sap.com/t5/application-development-and-automation-discussions/authorization-within-a-report/m-p/3390755#M814179 <HTML><HEAD></HEAD><BODY><P>I have a report, and that transaction is assigned to different roles, which are assigned to different users.</P><P></P><P>How do I limit which company code can be view per user? I am not sure how the authorization objects work when it comes to reporting. In PFCG I have trouble finding any objects relating to this report.</P><P></P><P>Can someone point me in the right direction please?</P><P></P><P>Allie</P></BODY></HTML> Wed, 13 Feb 2008 15:20:26 GMT https://community.sap.com/t5/application-development-and-automation-discussions/authorization-within-a-report/m-p/3390755#M814179 Former Member 2008-02-13T15:20:26Z https://community.sap.com/t5/application-development-and-automation-discussions/authorization-within-a-report/m-p/3390756#M814180 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>U need to insert a check for a authorization object of company code.</P><P></P><P>So now the problem is to understand if you can use a standard object (for example FI object) or you need to create a new one.</P><P></P><P>If you can use a std one you don't need to change the profile, if you can't do it, u need to change the profile in order to insert the new object.</P><P></P><P>Anyway in your program u have to insert the check of the object:</P><P></P><PRE><CODE>AUTHORITY-CHECK OBJECT 'F_BKPF_BUK' ID 'BUKRS' FIELD P_BUKRS ID 'ACTVT' FIELD '03'.</CODE></PRE><P></P><P>In my example I've used F_BKPF_BUK (it is the FI)</P><P></P><P>Max</P></BODY></HTML> Wed, 13 Feb 2008 15:36:32 GMT https://community.sap.com/t5/application-development-and-automation-discussions/authorization-within-a-report/m-p/3390756#M814180 Former Member 2008-02-13T15:36:32Z https://community.sap.com/t5/application-development-and-automation-discussions/authorization-within-a-report/m-p/3390757#M814181 <HTML><HEAD></HEAD><BODY><P>Also.</P><P></P><P>You can run an authorisation trace for the transaction using ST01 which will tell you all the all the authorisation objects called for that transaction.</P></BODY></HTML> Wed, 13 Feb 2008 15:58:15 GMT https://community.sap.com/t5/application-development-and-automation-discussions/authorization-within-a-report/m-p/3390757#M814181 Former Member 2008-02-13T15:58:15Z https://community.sap.com/t5/application-development-and-automation-discussions/authorization-within-a-report/m-p/3390758#M814182 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>usually authorization is not added on for one field in a table. if the user is not authorized to view the total field, then check the authority at the beginnning of the program. If the authority fails do not display the total field, else display the total field. There is no need to add authority check inside the loop.</P><P></P><P>AUTHORITY-CHECK OBJECT object</P><P>ID name1 FIELD f1</P><P>ID name2 FIELD f2</P><P>...</P><P>ID name10 FIELD f10.</P><P></P><P></P><P>Effect</P><P>Explanation of IDs:</P><P></P><P>object</P><P>Field which contains the name of the object for which the authorization is to be checked.</P><P></P><P>name1 ...</P><P>Fields which contain the names of the</P><P>name10</P><P>authorization fields defined in the object.</P><P></P><P>f1 ...</P><P>Fields which contain the values for which the</P><P>f10</P><P>authorization is to be checked.</P><P></P><P>AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).</P><P>You must specify all authorizations for an object and a also a value for each ID (or DUMMY).</P><P>The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.</P><P>If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.</P><P>If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.</P><P>The return code value changes according to the different error scenarios. The return code values have the following meaning:</P><P></P><P>4</P><P>User has no authorization in the SAP System for such an action. If necessary, change the user master record.</P><P>8</P><P>Too many parameters (fields, values). Maximum allowed is 10.</P><P>12</P><P>Specified object not maintained in the user master record.</P><P>16</P><P>No profile entered in the user master record.</P><P>24</P><P>The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.</P><P>28</P><P>Incorrect structure for user master record.</P><P>32</P><P>Incorrect structure for user master record.</P><P>36</P><P>Incorrect structure for user master record.</P><P></P><P>If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.</P><P>Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.</P><P></P><P></P><P>Note</P><P>Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.</P><P>The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.</P><P></P><P></P><P>Example</P><P>Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:</P><P></P><P>Table OBJ: Definition of authorization object</P><P></P><P>M_EINF_WRK</P><P>ACTVT</P><P>WERKS</P><P></P><P>Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations</P><P></P><P>M_EINF_WRK_BERECH1</P><P>ACTVT 01-03</P><P>WERKS 0001-0003 .</P><P></P><P>can display and change plants within the Purchasing and Materials Management areas.</P><P></P><P>Such a user would thus pass the checks</P><P></P><P></P><P>AUTHORITY-CHECK OBJECT 'M_EINF_WRK'</P><P>ID 'WERKS' FIELD '0002'</P><P>ID 'ACTVT' FIELD '02'.</P><P></P><P>AUTHORITY-CHECK OBJECT 'M_EINF_WRK'</P><P>ID 'WERKS' DUMMY</P><P>ID 'ACTVT' FIELD '01':</P><P></P><P></P><P>but would fail the check</P><P></P><P>AUTHORITY-CHECK OBJECT 'M_EINF_WRK'</P><P>ID 'WERKS' FIELD '0005'</P><P>ID 'ACTVT' FIELD '04'.</P><P></P><P></P><P>To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK.</P></BODY></HTML> Wed, 13 Feb 2008 16:21:43 GMT https://community.sap.com/t5/application-development-and-automation-discussions/authorization-within-a-report/m-p/3390758#M814182 former_member156446 2008-02-13T16:21:43Z