Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Generic function module to perform authority checks?

Former Member

‎2011 Jan 11 4:10 PM

0 Likes
4,374

We are looking at implementing authority checks for all our custom programs. One solution is to go into each and every program and code authority-check for each of the selection criteria.

Is there a way to develop a function module that can be dropped into each program and take care of all authority checks? Or perhaps a better solution? 

authority-check object 'M_MATE_WRK'
                  id 'ACTVT' field '03'
                  id 'WERKS' field s_werks-low.

I am thinking of something like this 

if selection screen contains werks 
 do authority check for werks 
if selection screen contains matnr 
 do authority check for matnr

Is this a feasible solution?

Edited by: Thomas Zloch on Jan 11, 2011 5:38 PM - subject enhanced

11 REPLIES 11
Read only

ThomasZloch
Active Contributor

‎2011 Jan 11 4:18 PM

0 Likes
2,879

I don't think this is feasible. For your custom reports, you should compare what objects are checked by similar SAP standard reports (e.g. using ST01 trace) and implement these accordingly.

For example, there is F_SKA1_BES, which is checked for each G/L account that has an authorization group assigned. This is impossible to check upfront at the selection screen, you rather need to check it for each single G/L account as per user selection and determine whether the user is allowed to see the account at all.

For more technical type of programs you can assign authorization groups in the program attributes which are automatically checked against objects S_PROGRAM and S_DEVELOP.

Thomas

Read only

Former Member

‎2011 Jan 11 4:19 PM

0 Likes
2,879

Hi

I think it's possible to group the reports under certain criteria in order to create several function module (one for every group) where it can check the common authorizations, but I don't think it's possible to create only one solution, because it can be different authorization object for the the same field.

Max

Read only

Former Member
In response to Former Member

‎2011 Jan 11 4:26 PM

0 Likes
2,879

This is the part I dont understand. Why does the same field have multiple authorization groups.

Take the case of werks. All the below exist in the system. I guess I dont understand authorization checks well enough. What does the statement below mean and what is the difference between each of these authorization groups. 

authority-check object 'M_MATE_WRK'                     id 'ACTVT' field '03'                     id 'WERKS' field s_werks.

M_AMPL_WRK	ACTVT	WERKS	Approved Manufacturer Parts List - Plant
M_ANFR_WRK	ACTVT	WERKS	Plant in RFQ
M_ANGB_WRK	ACTVT	WERKS	Plant in Quotation
M_BANF_WRK	ACTVT	WERKS	Plant in Purchase Requisition
M_BEST_WRK	ACTVT	WERKS	Plant in Purchase Order
M_EINF_WRK	ACTVT	WERKS	Plant in Purchasing Info Record
M_LPET_WRK	ACTVT	WERKS	Plant in Scheduling Agreement Delivery Schedule
M_MATE_WRK	ACTVT	WERKS	Material Master: Plants
M_ORDR_WRK	ACTVT	WERKS	Plant in Source List
M_QUOT_WRK	ACTVT	WERKS	Plant (Quotas)
M_RAHM_WRK	ACTVT	WERKS	Plant in Outline Agreement
M_RECH_WRK	WERKS	ACTVT	Invoices: Plant
M_SKPF_WRK	ACTVT	WERKS	Inventory Sampling: Plant

Read only

Former Member

‎2011 Jan 11 4:21 PM

0 Likes
2,879

Hi Meghan,

I had same requirement go for creating function module where you have

1.importing parameters as screen parameters

2. select options as a range tables .

3.Use FM to popup in Function module if authority check fails.

4.Call this function module in your program

5.Pass sy-tcode or program name for authority check.

6.Write logic in Function module to check authorization

This worked for hope this is useful.

Thanks and Regards,

Manjunath M

Read only

Former Member
In response to Former Member

‎2011 Jan 11 4:27 PM

0 Likes
2,879

This is what I am looknig to do. But how do we create such a function module. How do we know what the authorization object is and what the ACTVT is?

Read only

Former Member
In response to Former Member

‎2011 Jan 11 4:41 PM

0 Likes
2,879

Hi

Which authorization object to be used depends on which kind of data have to be analyzed.

For example:

M_BANF_WRK ACTVT WERKS Plant in Purchase Requisition

M_BEST_WRK ACTVT WERKS Plant in Purchase Order

If you have a report shows the requisitions it needs to use M_BANF_WRK, if the report is for purchase it needs to use M_BEST_WRK: there's no rule, every report has to be analyzed in order to know which objects have to be checked.

Every user can have different functions for the same object in but for different document: for example I can create a requisition for certain plants, but I can only see the Order for the same plants:

there are different object for the same field for these reasons:

ACTVT indicates which actions can be done by user, for example:

ACTVT = 01 -> Create

ACTVT = 02 -> Change

ACTVT = 03 -> Display

........

Max

Read only

Former Member
In response to Former Member

‎2011 Jan 11 4:44 PM

0 Likes
2,879 
*"----------------------------------------------------------------------
*"*"Local Interface:
*"  IMPORTING
*"     REFERENCE(BUKRS) TYPE  T001-BUKRS OPTIONAL
*"     REFERENCE(WERKS) TYPE  T001W-WERKS OPTIONAL
*"     REFERENCE(EKORG) TYPE  T024E-EKORG OPTIONAL
*"  EXPORTING
*"     REFERENCE(RETURN)
*"  TABLES
*"      XBUKREIS OPTIONAL
*"      RANGE_WERKS OPTIONAL
*"      EKORG_RAN OPTIONAL
*"      TLINE OPTIONAL
*"----------------------------------------------------------------------
*Structures to fetch data
  TYPES:BEGIN OF ty_bukrs,
        bukrs TYPE t001-bukrs,
       END OF ty_bukrs,
       BEGIN OF ty_werks,
        werks TYPE t001w-werks,
       END OF ty_werks,
       BEGIN OF ty_ekorg,
        ekorg TYPE t024e-ekorg,
       END OF ty_ekorg,
       BEGIN OF ty_error,
         stext TYPE string,
       END OF ty_error.
*Internal rables
  DATA:i_bukrs TYPE STANDARD TABLE OF ty_bukrs,
       i_werks TYPE STANDARD TABLE OF ty_werks,
       i_ekorg TYPE STANDARD TABLE OF ty_ekorg,
       i_error TYPE STANDARD TABLE OF tline.
*Work area
  DATA:wa_bukrs TYPE ty_bukrs,
       wa_werks TYPE ty_werks,
       wa_ekorg TYPE ty_ekorg,
       wa_stext TYPE tline.
*Variables
  DATA:l_flag TYPE c,
        str(255) TYPE c,
        w_mod TYPE n.
*Authorization check logic for company code
  IF  xbukreis IS NOT INITIAL.
    SELECT bukrs FROM t001 INTO TABLE i_bukrs
      WHERE bukrs IN  xbukreis.
  ELSEIF bukrs IS NOT INITIAL.
    SELECT bukrs FROM t001 INTO TABLE i_bukrs
    WHERE bukrs EQ bukrs.
  ENDIF.
  IF i_bukrs IS NOT INITIAL.
    LOOP AT i_bukrs INTO wa_bukrs.
*Validate all the PO Company codea Selected by the User for the Auth. Chk.
      AUTHORITY-CHECK OBJECT 'M_MATE_BUK'
                       ID 'ACTVT' DUMMY
                       ID 'WERKS' FIELD wa_bukrs-bukrs.
      IF sy-subrc NE 0.

        IF l_flag LT 1.
          wa_stext-tdline = 'No Authorization for following company codes, '.
          APPEND wa_stext TO i_error.
          CLEAR: wa_stext.
        ENDIF.
              ENDIF.
    ENDLOOP.
    APPEND wa_stext TO i_error.
    CLEAR: wa_stext,l_flag.
  ENDIF.

*Authorization check logic for plants
  IF range_werks IS NOT INITIAL.
    SELECT werks FROM t001w INTO TABLE i_werks
       WHERE werks IN range_werks.
  ELSEIF werks IS NOT INITIAL.
    SELECT werks FROM t001w INTO TABLE i_werks
           WHERE werks EQ werks.
  ENDIF.
  IF i_werks IS NOT INITIAL.
    LOOP AT i_werks INTO wa_werks.
*Validate all the PO Plants Selected by the User for the Auth. Chk.
      AUTHORITY-CHECK OBJECT 'M_MATE_WRK'
         ID 'ACTVT' DUMMY
         ID 'WERKS' FIELD wa_werks-werks.
      IF sy-subrc NE 0.
    APPEND wa_stext TO i_error.
    CLEAR: wa_stext,l_flag.
               ENDIF.
      ENDIF.
    ENDLOOP.

  ENDIF.
*Authorization check logic for Purchasing Organisation
  IF ekorg_ran IS NOT INITIAL.
    SELECT ekorg
    FROM t024e
    INTO TABLE i_ekorg
    WHERE ekorg IN ekorg_ran.
  ELSEIF ekorg IS NOT INITIAL.
    SELECT ekorg
    FROM t024e
    INTO TABLE i_ekorg
    WHERE ekorg EQ ekorg.
  ENDIF.
  IF i_ekorg IS NOT INITIAL.
*Validate all the PO Pur. Org. Selected by the User for the Auth. Chk.
    LOOP AT i_ekorg INTO wa_ekorg.
      AUTHORITY-CHECK OBJECT 'M_BEST_EKO'
      ID 'ACTVT' DUMMY
      ID 'EKORG' FIELD wa_ekorg-ekorg.
      IF sy-subrc NE 0.
        IF l_flag LT 1.
          wa_stext-tdline = 'No Authorization for following Purchasing Organisation,'.
          APPEND wa_stext TO i_error.
          CLEAR: wa_stext.
        ENDIF.
               ENDIF.
      ENDIF.
    ENDLOOP.
    APPEND wa_stext TO i_error.
    CLEAR: wa_stext,l_flag.
  ENDIF.

  IF i_error IS NOT INITIAL.
    CALL FUNCTION 'COPO_POPUP_TO_DISPLAY_TEXTLIST'
      EXPORTING
       task             = 'DISPLAY'
        titel            = 'List of Authorization checked data'
*    IMPORTING
*      FUNCTION         = FUNCTION
      TABLES
        text_table       = i_error
              .
    return = 4.
  ENDIF.
ENDFUNCTION.

Thanks and Regardsm

Manjunath M

Edited by: Thomas Zloch on Jan 11, 2011 5:55 PM - please use code tags for code, whether it solves the problem or not

Read only

Former Member
In response to Former Member

‎2011 Jan 11 6:10 PM

0 Likes
2,879

Do you know the table which stores the values. For e.g. I want to know if user has Display authorization for plant PXXX using object M_MATE_WRK. Is there a table that stores this?

Read only

Former Member
In response to Former Member

‎2011 Jan 11 6:49 PM

0 Likes
2,879

Hi

Try to see fm SUSRAUTH or SUSRPROF

Max

Read only

Former Member

‎2011 Jan 11 4:22 PM

0 Likes
2,879

Creating a generic function module is definitely feasible (and in case of Select-options, you will have to do authority check for all entries)...

But you have to still call this FM from each of your custom program and thus change/ test all your programs again...

Read only

Former Member

‎2011 Jan 11 6:12 PM

0 Likes
2,879

Hello,

We can try for another option using of custom function module with custom table.

a) We need to create a custom table, the table fields contains program name, authorization object, authority object field,actuvity and selection screen field for authority check as well.

By creatng table maintenance genrator for this table, user able to maintain the data as per the program easily manually.

If multipe authorization check required for a program, we need to maintain multipe entries in the table with respect to program name.

b) Create a function module, based on the entry of the calling program it will execute the authority check dynamically.

Which is very user friendly to manitain.

Regards.