topic Re: Authorization in Application Development and Automation Discussions

Authorization

Former Member — Fri, 15 Feb 2008 03:05:56 GMT

Hi ,

What is authorization check ,

how we can do that what is the purpose of authorization check pls give some help full infrmation.

THX

Re: Authorization

Former Member — Fri, 15 Feb 2008 03:14:21 GMT

Hi,

Pls. check below useful links.

With PDF.

Check the below link,here you can see complete information about Auth checks and objects.

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c

Check the below links.

http://help.sap.com/saphelp_nw04/helpdata/en/9f/dbaccb35c111d1829f0000e829fbfe/content.htm

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/9000821b-666a-2910-499a-aaffde140a9a

http://help.sap.com/saphelp_nw04s/helpdata/en/8d/3e4e19462a11d189000000e8323d3a/frameset.htm

Check the below link for Main HR Authorization Object for Security .

http://www.sap-img.com/human/main-hr-authorization-object-for-security.htm

Re: Authorization

Former Member — Fri, 15 Feb 2008 03:16:52 GMT

Authorization check is to restrict the access to a set of users ho have the authority to run the particular transaction.

You can just search help.sap.com for the detailed info on Authorization.

Regards,

Atish

Re: Authorization

Former Member — Fri, 15 Feb 2008 04:27:15 GMT

Hi,

authorization check mean checking the authorization of the user for a particular transaction. suppose a company wants to restrict the transaction XD02 i.e. change customer for a perticular user so that he can'nt change the customer details. so this is mainly to restrict the user for a perticular transaction etc. this authorization will be provide by basis or authorization team.

Reward if helpful.

Regards

Venkat

Edited by: venkata prasad on Feb 15, 2008 5:28 AM

Re: Authorization

former_member156446 — Fri, 15 Feb 2008 04:29:22 GMT

Hi,

usually authorization is not added on for one field in a table. if the user is not authorized to view the total field, then check the authority at the beginnning of the program. If the authority fails do not display the total field, else display the total field. There is no need to add authority check inside the loop.

AUTHORITY-CHECK OBJECT object

ID name1 FIELD f1

ID name2 FIELD f2

...

ID name10 FIELD f10.

Effect

Explanation of IDs:

object

Field which contains the name of the object for which the authorization is to be checked.

name1 ...

Fields which contain the names of the

name10

authorization fields defined in the object.

f1 ...

Fields which contain the values for which the

f10

authorization is to be checked.

AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).

You must specify all authorizations for an object and a also a value for each ID (or DUMMY).

The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.

If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.

If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.

The return code value changes according to the different error scenarios. The return code values have the following meaning:

User has no authorization in the SAP System for such an action. If necessary, change the user master record.

Too many parameters (fields, values). Maximum allowed is 10.

Specified object not maintained in the user master record.

No profile entered in the user master record.

The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.

Incorrect structure for user master record.

If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.

Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.

Note

Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.

The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.

Example

Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:

Table OBJ: Definition of authorization object

M_EINF_WRK

ACTVT

WERKS

Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations

M_EINF_WRK_BERECH1

ACTVT 01-03

WERKS 0001-0003 .

can display and change plants within the Purchasing and Materials Management areas.

Such a user would thus pass the checks

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' FIELD '0002'

ID 'ACTVT' FIELD '02'.

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' DUMMY

ID 'ACTVT' FIELD '01':

but would fail the check

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' FIELD '0005'

ID 'ACTVT' FIELD '04'.

To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK.

Re: Authorization

Former Member — Fri, 15 Feb 2008 05:56:59 GMT

hi,

You should carry out an authorization check before accessing the database.

The AUTHORITY-CHECK

statement first checks whether the user has the authorization containing all the required values. You then read the code value in the system field SY-SUBRC. If this value is 0, the user has the required authorization and the program can continue. If the value is not 0, the user does not possess the required authorization and the system outputs an appropriate message.

The system administrator assigns user authorization when maintaining user master data. During this

process, you should determine exactly which data users are allowed to access and what kind of

access should be allowed. For example, you might want to allow users to display data for all airline

carriers, but only allow them to change data for certain selected ones.

Authorization objects simply define the combination of fields that need to be addressed simultaneously

and serve as templates for both authorizations and authorization checks. They are organized into object

classes in order to make it easier to find and administer them; one object class or several may exist in

each application.

When making authorization checks in programs, you specify the object and values the user needs in an

authorization to be able to access the object. You do not have to specify the name of the authorization.

The Authority-Check statement performs the authority check and returns an appropriate

return code value. When reading this return code, you can specify yourself the consequences of a

missing authorization

You must specify all fields of the object in an AUTHORITY-CHECK. Otherwise you receive a return

code not equal to zero. If you do not want to carry out a check for a particular field, enter DUMMY after

the field name.

The most important return codes for AUTHORITY-CHECK are:

0: The user has an authorization containing the required values.

4: The user does not have the required authorization.

8: The check could not successfully be carried out since not all fields of the object were specified.


REPORT sapbc400pbs_forms.
CONSTANTS actvt_display TYPE activ_auth VALUE '03'.
DATA: wa_flight TYPE sbc400focc,
it_flight TYPE sbc400_t_sbc400focc.
PARAMETERS: pa_car TYPE sflight-carrid.
DATA: returncode LIKE sy-subrc.
START-OF-SELECTION.
* Authority-Check:
PERFORM authority_scarrid USING pa_car actvt_display
CHANGING returncode.
CASE returncode.
* User is authorized
WHEN 0.
SELECT carrid connid fldate seatsmax seatsocc FROM sflight
INTO CORRESPONDING FIELDS OF wa_flight
WHERE carrid = pa_car.
wa_flight-percentage =
100 * wa_flight-seatsocc / wa_flight-seatsmax.
APPEND wa_flight TO it_flight.
ENDSELECT.
PERFORM write_list USING it_flight.

* User is not authorized or other error of authority-check
WHEN OTHERS.
WRITE: / 'Authority-Check Error'(001).
ENDCASE.

Hope this helps. Do reward

Edited by: Runal Singh on Feb 15, 2008 11:29 AM

Re: Authorization

Former Member — Fri, 15 Feb 2008 06:05:08 GMT

Hi chaya,

please see to the tutorioal below.

if useful reward points, and also add some commnets to the below link

[TUTORIAL|https://wiki.sdn.sap.com/wiki/display/Snippets/ConceptofAuthorizationForusers]

Re: Authorization

Former Member — Fri, 15 Feb 2008 07:13:31 GMT

Hi,

Pls refer to the link:

http://help.sap.com/saphelp_nw70/helpdata/en/52/671285439b11d1896f0000e8322d00/frameset.htm

Regards,

Renjith Michael.

http://www.sourceveda.com/

Re: Authorization

Former Member — Fri, 15 Feb 2008 07:37:33 GMT

EVERYHTING U NEED TO KNOW ABOUT

AUTHORIZATION CHECKS

You should carry out an authorization check before accessing the database. The AUTHORITY-CHECK

statement first checks whether the user has the authorization containing all the required values. You

then read the code value in the system field SY-SUBRC. If this value is 0, the user has the required

authorization and the program can continue. If the value is not 0, the user does not possess the required

authorization and the system outputs an appropriate message.

Later in this course, you will learn how to make fields on the selection screen ready for input again if you

perform the authorization check right after the selection screen, and how to output a message if the user

does not have the required authorization.

All data in the SAP system must be protected from unauthorized access by users who do not explicitly

have permission to access it.

The system administrator assigns user authorization when maintaining user master data. During this

process, you should determine exactly which data users are allowed to access and what kind of

access should be allowed. For example, you might want to allow users to display data for all airline

carriers, but only allow them to change data for certain selected ones. In this case, the system must look

for a combination of the fields 'activity' and 'airline carrier' each time it performs an authorization check.

Both fields must be filled with values during authorization creation as well (in this example, activity

'Change' and airline carrier 'LH' or activity 'Display' and airline carrier '*'). This is carried out by an

authorization object composed of the fields 'Activity' and 'Airline carrier' that has to be addressed both

during the authorization assignment process and whenever your program performs an authorization

check.

Authorization objects simply define the combination of fields that need to be addressed simultaneously

and serve as templates for both authorizations and authorization checks. They are organized into object

classes in order to make it easier to find and administer them; one object class or several may exist in

each application. You call the authorization object maintenance transaction from the 'Development'

menu in the ABAP Workbench. A complete list of all development objects, sorted according to class and

including their corresponding fields and documentation, is part of this transaction.

When making authorization checks in programs, you specify the object and values the user needs in an

authorization to be able to access the object. You do not have to specify the name of the authorization.

The above example checks whether or not the user is authorized for the object S_CARRID, which has

the value 'LH' in the field CARRID (airline) and the value '02' for 'Change' in the field ACTVT (activity).

The abbreviations for the activities are documented in the tables TACT and TACTZ and also in the

appropriate objects.

Important: The Authority-Check statement performs the authority check and returns an appropriate

return code value. When reading this return code, you can specify yourself the consequences of a

missing authorization (for example, program terminates or skips some input lines).

AUTHORITY-CHECK OBJECT 'S_CARRID'

ID CARRID FIELD '__________'

ID ACTVT FIELD '__________'.

IF SY-SUBRC NE 0.

ENDIF.

Inserting AUTHORITY-CHECK in Programs

...

AUTHORITY-CHECK

...

Insert statement

S_CARRID

Pattern

You insert

variables

and

parameters

System

generates

ABAP code

IF SY-SUBRC NE 0.

Process

return code

You must specify all fields of the object in an AUTHORITY-CHECK. Otherwise you receive a return

code not equal to zero. If you do not want to carry out a check for a particular field, enter DUMMY after

the field name.

Example: When calling a transaction to change flight data, you should check whether or not the user is

authorized to change the entries for a particular airline carrier: AUTHORITY-CHECK

OBJECT 'S_CARRID' ID 'ACTVT' FIELD '02'

ID 'CARRID' DUMMY.

The most important return codes for AUTHORITY-CHECK are:

The user has an authorization containing the required values.

The user does not have the required authorization.

The check could not successfully be carried out since not all fields of the object were specified.

For a complete list of return codes, refer to the keyword documentation for the AUTHORITY-CHECK

statement.

You can only specify a single field after the FIELD addition, not a selection table. There are function

modules which carry out the AUTHORITY-CHECK for all values in the selection table.

REWARD IF HELPFUL

Re: Authorization

Former Member — Fri, 15 Feb 2008 07:45:21 GMT

AUTHORIZATION OBJECTS

The SAP authorization concept, based on authorization Objects, has been realized to provide an understandable and simple procedure.

Several system elements which are to be protected form an authorization object.

An authorization object allows complex tests of an Authorization for multiple conditions.

Authorizations allow users to execute actions within the system.

An authorization object groups up to ten fields that related by AND.

For an authorization check to be successful, all field values of the authorization object must be maintained in the user master.

When a transaction is called, a system program makes various checks to ensure that the user has the appropriate authorization.

AUTHORITY-CHECK checks whether a user has appropriate authorization. To do this, it searches in the specified authorization profile in the user master record to see whether the user has authorization for the authorization object specified in the command.

If the authorization is found and it contains the correct values, the check is successful.

A programmer wants to make an authorization check before bookings for business customers can be changed.

To do this, the programmer should create an authorization fields and assign for each field defined the value to be checked .

Authorization fields are created under Tools -> ABAP Workbench -> Development -> Other tools -> Authorization objects -> Fields .

SYNTAX:

AUTHORITY-CHECK OBJECT 'L_TCODE'

ID 'TCD' FIELD sy-tcode.

IF sy-subrc NE 0.

MESSAGE i010(zmsg) WITH sy-tcode.

LEAVE TO SCREEN 0.

ENDIF.