Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Authorization object

Go to solution
Former Member

‎2007 May 24 1:51 PM

0 Likes
1,615

Hi All,

Suppose user (XYZ) is not authorized to run transaction (e.g. IW32). How can we get the authority to run transaction (IW32) from different user (e.g ABC) while i am login with XYZ ? Can we push a different user (ABC) to get the authority to work with transaction (IW32) while i am login with user (XYZ) ?

1 ACCEPTED SOLUTION
Read only

Go to solution
former_member784222
Active Participant

‎2007 May 24 2:01 PM

0 Likes
1,064

Hi,

You cannot run a transaction in foreground without authorization for that transaction.

But you can think of submitting the transaction as a session using other username who has the login.

Just go thru the documentation of FM BDC_OPEN_GROUP, BDC_INSERT and BDC_CLOSE_GROUP.

In fm BDC_OPEN_GROUP you can specify the username who has authorization to the transaction code.

Thanks and regards,

S. Chandra Mouli.

5 REPLIES 5
Read only

Go to solution
Former Member

‎2007 May 24 1:56 PM

0 Likes
1,064

Hi

If you use the profiles of the user who has authorization, then you can use that Transaction see the doc:

In general different users will be given different authorizations based on their role in the orgn.

We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.

USe SUIM and SU21 T codes for this.

Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.

If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.

This means you have to allocate an authorization object in the definition of the transaction.

For example:

program an AUTHORITY-CHECK.

AUTHORITY-CHECK OBJECT <authorization object>

ID <authority field 1> FIELD <field value 1>.

ID <authority field 2> FIELD <field value 2>.

...

ID <authority-field n> FIELD <field value n>.

The OBJECT parameter specifies the authorization object.

The ID parameter specifies an authorization field (in the authorization object).

The FIELD parameter specifies a value for the authorization field.

The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.

http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm

To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.

Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.

You program the authorization check using the ABAP statement AUTHORITY-CHECK.

AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'

ID 'ACTVT' FIELD '02'

ID 'CUSTTYPE' FIELD 'B'.

IF SY-SUBRC <> 0.

MESSAGE E...

ENDIF.

'S_TRVL_BKS' is a auth. object

ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.

The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.

This Authorization concept is somewhat linked with BASIS people.

As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.

Take the help of the basis Guy and create and use.

Reward points if useful

Regards

Anji

Read only

Go to solution
suresh_datti
Active Contributor

‎2007 May 24 1:58 PM

0 Likes
1,064

Unfortunately you cannot inherit/share Authn profiles that way.. Once you login as XYZ, you are stuck with whatever XYZ is authorized to & thats the way it is supposed to be.. why do you want to bypass Authn?

~Suresh

Read only

Go to solution
Former Member

‎2007 May 24 2:00 PM

0 Likes
1,064

I know that it's look crazy, but you can change sy-uname on 'ABC' and call authority check for user 'ABC' while login with 'XYZ'. Little bug in security R/3 system... You can also call transaction 'IW32' for user 'ABC'... It's worked in 4.6, 4.7, for erp2005 - i don't check.

Also for your question you can run FM AUTHORITY_CHECK for user 'ABC'

Read only

Go to solution
former_member784222
Active Participant

‎2007 May 24 2:01 PM

0 Likes
1,065

Hi,

You cannot run a transaction in foreground without authorization for that transaction.

But you can think of submitting the transaction as a session using other username who has the login.

Just go thru the documentation of FM BDC_OPEN_GROUP, BDC_INSERT and BDC_CLOSE_GROUP.

In fm BDC_OPEN_GROUP you can specify the username who has authorization to the transaction code.

Thanks and regards,

S. Chandra Mouli.

Read only

Go to solution
Former Member

‎2007 May 24 2:10 PM

0 Likes
1,064

Hi Abhishek,

For ABAP programs, the two objects S_DEVELOP (program development and program execution) and S_PROGRAM (program maintenance) exist. They contains a field P_GROUP that is connected with the program attribute authorization group. Thus, you can assign users program-specific authorizations for individual ABAP programs.

Authorization Check in ABAP Programs

A more sophisticated, user-programmed authorization check is possible using the Authority-Check statement. It allows you to check the entries in the user master record for specific authorization objects against any other values. Therefore, if a transaction or program is not sufficiently protected or not every user that is authorized to use the program can also execute all the actions, this statement must be used.

AUTHORITY-CHECK OBJECT object

ID name1 FIELD f1

ID name2 FIELD f2

...

ID namen FIELD fn.

object is the name of an authorization object. With name1, name2 ... , and so on, you must list all fields of the authorization object object. With f1, f2 ... , and so on, you must specify the values that the system is to check against the entries in the relevant authorization of the user master record. The AUTHORITY-CHECK statement searches for the specified object in the user profile and checks the user’s authorizations for all values of f1, f2 ... . You can avoid checking a field name1, name2 ... by replacing FIELD f1 FIELD f2 with DUMMY.

After the FIELD addition, you can only specify an elementary field, not a selection table. However, there are function modules available that execute the AUTHORITY-CHECK statement for all values of selection tables. The AUTHORITY-CHECK statement is supported by a statement pattern.

Only if the user has all authorizations, is the return value sy-subrc of the AUTHORITY-CHECK statement set to 0. The most important return values are:

· 0: The user has an authorization for all specified values.

· 4: The user does not have the authorization.

· 8: The number of specified fields is incorrect.

· 12: The specified authorization object does not exist.

A list of all possible return values is available in the ABAP keyword documentation. The content of sy-subrc has to be closely examined to ascertain the result of the authorization check and react accordingly.

Example

REPORT demo_authorithy_check.

PARAMETERS pa_carr LIKE sflight-carrid.

DATA wa_flights LIKE demo_focc.

AT SELECTION-SCREEN.

AUTHORITY-CHECK OBJECT 'S_CARRID'

ID 'CARRID' FIELD pa_carr

ID 'ACTVT' FIELD '03'.

IF sy-subrc = 4.

MESSAGE e045(sabapdocu) WITH pa_carr.

ELSEIF sy-subrc <> 0.

MESSAGE e184(sabapdocu) WITH text-010.

ENDIF.

START-OF-SELECTION.

SELECT carrid connid fldate seatsmax seatsocc

FROM sflight

INTO CORRESPONDING FIELDS OF wa_flights

WHERE carrid = pa_carr.

WRITE: / wa_flights-carrid,

wa_flights-connid,

wa_flights-fldate,

wa_flights-seatsmax,

wa_flights-seatsocc.

ENDSELECT.

In this example, the system checks with the authorization object S_CARRID whether or not the user has a display authorization (03) for the airline entered on a selection screen. If this is not the case, or a different error occurs, the Selection Screen Processing goes back to the display of the selection screen.

Regards,

prasad