Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Authorization checks

Go to solution
Former Member

‎2007 Feb 28 7:32 AM

0 Likes
952

Hi all,

I haven't used authorization checks in any of my program till now.

I got a faint idea about it using help but can anyone give a more clear picture of Autho. objects, fields ,etc.

thanx in advance

1 ACCEPTED SOLUTION
Read only

Go to solution
Former Member

‎2007 Feb 28 7:41 AM

0 Likes
863

Hi,

AUTHORITY-CHECK OBJECT object

ID name1 FIELD f1

ID name2 FIELD f2

...

ID name10 FIELD f10.

Effect

Explanation of IDs:

object

Field which contains the name of the object for which the authorization is to be checked.

name1 ...

Fields which contain the names of the

name10

authorization fields defined in the object.

f1 ...

Fields which contain the values for which the

f10

authorization is to be checked.

AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).

You must specify all authorizations for an object and a also a value for each ID (or DUMMY).

The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.

If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.

If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.

The return code value changes according to the different error scenarios. The return code values have the following meaning:

4

User has no authorization in the SAP System for such an action. If necessary, change the user master record.

8

Too many parameters (fields, values). Maximum allowed is 10.

12

Specified object not maintained in the user master record.

16

No profile entered in the user master record.

24

The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.

28

Incorrect structure for user master record.

32

Incorrect structure for user master record.

36

Incorrect structure for user master record.

If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.

Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.

Note

Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.

The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.

Example

Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:

Table OBJ: Definition of authorization object

M_EINF_WRK

ACTVT

WERKS

Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations

M_EINF_WRK_BERECH1

ACTVT 01-03

WERKS 0001-0003 .

can display and change plants within the Purchasing and Materials Management areas.

Such a user would thus pass the checks

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' FIELD '0002'

ID 'ACTVT' FIELD '02'.

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' DUMMY

ID 'ACTVT' FIELD '01':

but would fail the check

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' FIELD '0005'

ID 'ACTVT' FIELD '04'.

Example

here we check whether the user has authorisation the program

AUTHORITY-CHECK OBJECT 'ztest'

ID 'GLGLOBAL'

FIELD 'test'.

IF SY-SUBRC <> 0.

MESSAGE S000 WITH 'You are not authorized to execute'

'this Program'.

LEAVE PROGRAM.

ENDIF.

Regards,

Sruthi

5 REPLIES 5
Read only

Go to solution
sreeramkumar_madisetty
Active Contributor

‎2007 Feb 28 7:35 AM

0 Likes
863

Hi

In this way we can code the authority checks.

LOOP AT i_t001.

AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'

ID 'ACTVT' FIELD '03'

ID 'BUKRS' FIELD I_T001-BUKRS.

IF SY-SUBRC <> 0.

MESSAGE ID 'FR' TYPE 'E' NUMBER '064' WITH I_T001-BUKRS.

ENDIF.

or else simply create the entry in TPGP table and use that entry in your program properties ->authorization object.

Regards,

kumar

Read only

Go to solution
Former Member

‎2007 Feb 28 7:36 AM

0 Likes
863

Hi,

Syntax:

AUTHORITY-CHECK OBJECT <authorization object>

ID <authority field 1> FIELD <field value 1>.

ID <authority field 2> FIELD <field value 2>.

...

ID <authority-field n> FIELD <field value n>.

The OBJECT parameter specifies the authorization object.

The ID parameter specifies an authorization field (in the authorization object).

The FIELD parameter specifies a value for the authorization field.

To check the authorization of the user of an ABAP program, use the AUTHORITY-CHECK statement:

AUTHORITY-CHECK OBJECT '<object>'

ID '<name1>' FIELD <f1>

ID '<name2>' FIELD <f2>

.............

ID '<name10>' FIELD <f10>.

Regards

Sudheer

Read only

Go to solution
Former Member

‎2007 Feb 28 7:39 AM

0 Likes
863

Hi,

You have to first create the required Authrization Object and Fields for that in SU21 Transaction.

Then In the program you can use that Object.

You can also assign the same Authorization object in SE93 Transaction for a particular Report/Object.

Regards,

Anji

Read only

Go to solution
Former Member

‎2007 Feb 28 7:41 AM

0 Likes
864

Hi,

AUTHORITY-CHECK OBJECT object

ID name1 FIELD f1

ID name2 FIELD f2

...

ID name10 FIELD f10.

Effect

Explanation of IDs:

object

Field which contains the name of the object for which the authorization is to be checked.

name1 ...

Fields which contain the names of the

name10

authorization fields defined in the object.

f1 ...

Fields which contain the values for which the

f10

authorization is to be checked.

AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).

You must specify all authorizations for an object and a also a value for each ID (or DUMMY).

The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.

If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.

If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.

The return code value changes according to the different error scenarios. The return code values have the following meaning:

4

User has no authorization in the SAP System for such an action. If necessary, change the user master record.

8

Too many parameters (fields, values). Maximum allowed is 10.

12

Specified object not maintained in the user master record.

16

No profile entered in the user master record.

24

The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.

28

Incorrect structure for user master record.

32

Incorrect structure for user master record.

36

Incorrect structure for user master record.

If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.

Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.

Note

Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.

The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.

Example

Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:

Table OBJ: Definition of authorization object

M_EINF_WRK

ACTVT

WERKS

Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations

M_EINF_WRK_BERECH1

ACTVT 01-03

WERKS 0001-0003 .

can display and change plants within the Purchasing and Materials Management areas.

Such a user would thus pass the checks

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' FIELD '0002'

ID 'ACTVT' FIELD '02'.

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' DUMMY

ID 'ACTVT' FIELD '01':

but would fail the check

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' FIELD '0005'

ID 'ACTVT' FIELD '04'.

Example

here we check whether the user has authorisation the program

AUTHORITY-CHECK OBJECT 'ztest'

ID 'GLGLOBAL'

FIELD 'test'.

IF SY-SUBRC <> 0.

MESSAGE S000 WITH 'You are not authorized to execute'

'this Program'.

LEAVE PROGRAM.

ENDIF.

Regards,

Sruthi