-
Products and Technology
By Category
-
Groups
Activity Groups
Industry Groups
Influence and Feedback Groups
Interest Groups
Location Groups
Customer Only Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
Products
- Autonomous Enterprise
- Artificial intelligence
- Data and analytics
- Autonomous Suite
- Technology platform
- Transformation management
- Midsize business solutions
- Financial management
- Spend management
- Supply chain management
- Human capital management
- Customer experience
- Enterprise resource planning
- Business network
- Sustainability management
- SAP Store
- Try SAP
- View all industries
- Partners
- Services
Learning and Support
-
- Products and Technology
- Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
- Explore SAP
-
Products
- Products
- Autonomous Enterprise
- Artificial intelligence
- Data and analytics
- Autonomous Suite
- Technology platform
- Transformation management
- Midsize business solutions
- Financial management
- Spend management
- Supply chain management
- Human capital management
- Customer experience
- Enterprise resource planning
- Business network
- Sustainability management
- SAP Store
- Try SAP
- View all industries
- Partners
- Services
- Learning and Support
- About
- SAP Community
- Groups
- Interest Groups
- Application Development and Automation
- Discussions
- Re: Doubt in Authorization
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Doubt in Authorization
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2007 May 29 8:37 AM
- SAP Managed Tags
- ABAP Development
Hi All
I am very new to this topic.I have a piece of code with me...So tell me in a simple way what does it means....My doubts are
1. what is the use of Authorization-checks
2. In the below code what is OBJECT , ID and FIELD..What does it means..Tell me with a simple example...
3. Is there any other type of Authorization Checks...
AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'CARRID' FIELD pa_carr
ID 'ACTVT' FIELD '03'.
Proper answers Will Be Rewarded..
Thanks..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2007 May 29 8:52 AM
- SAP Managed Tags
- ABAP Development
Hi
1. what is the use of Authorization-checks: it's to check if the user can or can't do something.
Every user has a profile, the profile is constituted by authorization objects and they determine the area where the user can work.
2. In the below code what is OBJECT , ID and FIELD..What does it means..Tell me with a simple example...
OBJECT = The name of authorization object
ID = The name of the field of the object
FIELD = the value to be checked3.
For example the object F_BKPF_BUK is to define for wich company code a user can work.
This object has the followin fields:
BUKRS = Company Code
ACTVT = The activity code (what a user can do)
So if you want to know if a user can post a document for the company code AAAA:
AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
ID 'BUKRS' FIELD 'AAAA'
ID 'ACTVT' FIELD '01'.
IF SY-SUBRC <> 0.
----trigger message error displaying the user can't post the document for company code AAAA
ENDIF.U can see all objects by trx SU21
U can see the profile/role by trx PFGC
Max
3. Is there any other type of Authorization Checks...
AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'CARRID' FIELD pa_carr
ID 'ACTVT' FIELD '03'.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2007 May 29 8:40 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2007 May 29 8:44 AM
- SAP Managed Tags
- ABAP Development
AUTHORITY-CHECK
Basic form
AUTHORITY-CHECK OBJECT object
ID name1 FIELD f1
ID name2 FIELD f2
...
ID name10 FIELD f10.
Effect
Explanation of IDs:
object
Field which contains the name of the object for which the authorization is to be checked.
name1 ...
Fields which contain the names of the
name10
authorization fields defined in the object.
f1 ...
Fields which contain the values for which the
f10
authorization is to be checked.
AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).
You must specify all authorizations for an object and a also a value for each ID (or DUMMY).
The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.
If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.
If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.
The return code value changes according to the different error scenarios. The return code values have the following meaning:
4
User has no authorization in the SAP System for such an action. If necessary, change the user master record.
8
Too many parameters (fields, values). Maximum allowed is 10.
12
Specified object not maintained in the user master record.
16
No profile entered in the user master record.
24
The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
28
Incorrect structure for user master record.
32
Incorrect structure for user master record.
36
Incorrect structure for user master record.
If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.
Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.
Note
Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.
The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.
Example
Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:
Table OBJ: Definition of authorization object
M_EINF_WRK
ACTVT
WERKS
Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations
M_EINF_WRK_BERECH1
ACTVT 01-03
WERKS 0001-0003 .
can display and change plants within the Purchasing and Materials Management areas.
Such a user would thus pass the checks
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0002'
ID 'ACTVT' FIELD '02'.
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' DUMMY
ID 'ACTVT' FIELD '01':
but would fail the check
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0005'
ID 'ACTVT' FIELD '04'.
To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2007 May 29 8:48 AM
- SAP Managed Tags
- ABAP Development
Hi
Thanks..Can U Give me a simple example also..So that i can understand the concept simply..,,,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2007 May 29 8:49 AM
- SAP Managed Tags
- ABAP Development
Hi
What does the OBJECT Stands for...Where we are using this keyword actually..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2007 May 29 8:50 AM
- SAP Managed Tags
- ABAP Development
hi,
The Authorization checks are used to ensure that the user has proper authorizations.
e.g a developer can only use a particular transation if he / she has proper authorizations.
This can either be display(03), create(01), change(02) authorizations. There can be many more but the main are only these three.
Each authorization has an authorization object. each object has field for which authorizations can be given.
In the e.g that you have specified: For the field : pa_carr you only have display authorizations.
another example :
To check the authorization of the user of an ABAP program, use the AUTHORITY-CHECK statement:
AUTHORITY-CHECK OBJECT '<object>'
ID '<name1>' FIELD <f1>
ID '<name2>' FIELD <f2>
.............
ID '<name10>' FIELD <f10>.
<object> is the name of the object that you want to check. You must list the names (<name1>, <name2> ...) of all authorization fields that occur in <object>. You can enter the values <f 1 >, <f 2 >.... for which the authorization is to be checked either as variables or as literals. The AUTHORITY-CHECK statement checks the user’s profile for the listed object, to see whether the user has authorization for all values of <f>. Then, and only then, is SY-SUBRC set to 0. You can avoid checking a field by replacing FIELD <f> with DUMMY. You can only evaluate the result of the authorization check by checking the contents of SY-SUBRC. For a list of the possible return values and further information, see the keyword documentation for the AUTHORITY-CHECK statement. For further general information about the SAP authorization concept, refer to Users and Authorizations.
This link gives you more explanations
http://www.geocities.com/SiliconValley/Grid/4858/sap/Basis/AuthIntro.htm
For more detailed explanation please go through these links:
http://help.sap.com/saphelp_47x200/helpdata/en/fc/eb3ba5358411d1829f0000e829fbfe/frameset.htm
http://help.sap.com/saphelp_47x200/helpdata/en/52/67167f439b11d1896f0000e8322d00/frameset.htm
Regards,
Narayani
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2007 May 29 8:52 AM
- SAP Managed Tags
- ABAP Development
Hi
1. what is the use of Authorization-checks: it's to check if the user can or can't do something.
Every user has a profile, the profile is constituted by authorization objects and they determine the area where the user can work.
2. In the below code what is OBJECT , ID and FIELD..What does it means..Tell me with a simple example...
OBJECT = The name of authorization object
ID = The name of the field of the object
FIELD = the value to be checked3.
For example the object F_BKPF_BUK is to define for wich company code a user can work.
This object has the followin fields:
BUKRS = Company Code
ACTVT = The activity code (what a user can do)
So if you want to know if a user can post a document for the company code AAAA:
AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
ID 'BUKRS' FIELD 'AAAA'
ID 'ACTVT' FIELD '01'.
IF SY-SUBRC <> 0.
----trigger message error displaying the user can't post the document for company code AAAA
ENDIF.U can see all objects by trx SU21
U can see the profile/role by trx PFGC
Max
3. Is there any other type of Authorization Checks...
AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'CARRID' FIELD pa_carr
ID 'ACTVT' FIELD '03'.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2007 May 29 8:58 AM
Bluesky