Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Authorization Object

Go to solution
raghav_2497
Explorer

‎2022 May 17 2:32 PM

0 Likes
4,439

I have a requirement wherein if user does not have access to FBL1N then the same user should not be able to see data for report (in which all the details of vendors are displayed w.r.t. data type) and if user has access to FBL1N then the data should appear in ALV report.

My Approach :

I created an authorization object in which I maintained one field BLART (for doc. type) and same I passed into report.

Now, the user does not have an access to FBL1N t-code still I am getting an output in ALV.

1 ACCEPTED SOLUTION
Read only

Go to solution
FredericGirod
Active Contributor

‎2022 May 17 2:44 PM

0 Likes
4,145

Why did you create an authorization object for something already existing ?

You could simply check S_TCODE with FBL1n

or you could check using SU24, what object is tested during FBL1n

10 REPLIES 10
Read only

Go to solution
FredericGirod
Active Contributor

‎2022 May 17 2:44 PM

0 Likes
4,146

Why did you create an authorization object for something already existing ?

You could simply check S_TCODE with FBL1n

or you could check using SU24, what object is tested during FBL1n

Read only

Go to solution
raghav_2497
Explorer
In response to FredericGirod

‎2022 May 18 6:44 AM

0 Likes
4,145

I can't chek s_tcode because I want to restrict user for only particular document types which can be anything not something specific.

for example if a user is authorized for AB, KR, KE, SW document types in FBL1N then the same user should be able to see data for only these four document types in ALV report.

Read only

Go to solution
FredericGirod
Active Contributor
In response to FredericGirod

‎2022 May 18 7:20 AM

4,145

So again, use transaction SU24 to identify the good standard object used in transaction FBL1n to filter on document type or other ... Other solution, if you feel unconfortable with SU24, put a trace with STAUTHTRACE to identify which object is checked and values used
Read only

Go to solution
Sandra_Rossi
Active Contributor

‎2022 May 17 4:00 PM

4,145

Please give all the details, not just a summary of what you did.

Read only

Go to solution
RaymondGiuseppi
Active Contributor

‎2022 May 17 4:34 PM

4,145

What's your actual requirement?

  • If you really want to replicate FBL1n authority checks, first execute SU24 on transaction FBL1n to get the list of authorizations check performed by the standard transaction (if you have enough time) and code those checks in your program...
  • If you only want to check that current user is allowed to FBL1n and then bypass any check performed by the system (you know that some employee are converted into vendor, etc.) just check authority on object S_TCODE or use FM AUTHORITY_CHECK_TCODE.
Read only

Go to solution
RaymondGiuseppi
Active Contributor
In response to RaymondGiuseppi

‎2022 May 18 10:38 AM

4,145

Also DON'T create any authorization object for this requirement, use the same objects than the standard report (The authorization/roles managers will not like you otherwise)

Hint: for document type it's F_BKPF_BLA, but don't use BKPF-BLART, but T003-BEGRU associated with the document type Customizing (groups of document types by authorization) - There is also a FM FI_BLART_AUTH_CHECK that do the job. Read also the authorization object documentation from SU24 or SU21.

Read only

Go to solution
raghav_2497
Explorer
In response to RaymondGiuseppi

‎2022 May 18 2:25 PM

0 Likes
4,145

Hello Raymond,

I used standard authorization object F_LFA1_BEK for the same, but it requires you to maintain authorization group in document type since I do not have any use of the authorization group field I can't use this standard group hence, I had to create a new one.

Read only

Go to solution
RaymondGiuseppi
Active Contributor
In response to RaymondGiuseppi

‎2022 May 19 1:29 PM

0 Likes
4,145

F_LFA1_BEK doesn't use the group associated to document, but the group associated to vendor (LFA1-BEGRU in vendor main table)

Replicating the standard controls can take time, but if you add complexity, allow for some delay

Hint: Did you look (where-used in abap workbench) the main authority objects checked by the standard FI item reports, with some luck you could find some methods/FMs that are available to process those checks in your version?

Reading you again, it is less clear on what you want to display, data from the vendor base or from accounting documents on those vendors?

Read only

Go to solution
raghav_2497
Explorer

‎2022 May 18 6:47 AM

0 Likes
4,145

Hi Sandra,

Example: if a user is authorized for AB, KR, KE, SW document types in FBL1N then the same user should be able to see data for only these four document types.

This is the exact requirement.

Read only

Go to solution
Sandra_Rossi
Active Contributor

‎2022 May 18 7:23 AM

4,145

I guess your question is not about the concept of authorizations, but you are asking the experts of FBL1N which user exit is to be used to place your code to restrict the result, or if there's another way.

As I don't know FBL1N, I would do a trace of authorization checks to see whether it is already filtering based on any authorization. If not, then you should do an ABAP trace to see which subroutine displays the result, which user exits exist, and place your code through user exit or Enhancement Framework.

Of course, to do that, searching the forum will help you a lot.