Solved: Re: RE: Abap Code Flow for Multiple Authorization ...

Sri_S1 · ‎2008 Nov 17

Hi all,

I am basically a security person, but i have some doubts on Authority-check in ABAP code. so i thought this is best place to understand the execution of ABAP code.

Q1. I know that ABAP programmers will put Authority check in ABAP code and when program was executed Authority-check will compare whether user has access to this object or not.

for EX take some tcode ZXYY

i activated 3 objects out of some 20 objects for this tcode in SU24.

Authority checks are placed in the program.

when this tcode was executed and started the ABAP code, then i think it will do the authority check for the first object and if user has the profile to it then it will go for the second authority-check for which if user does not had profile ( i made inactive in role) will the code terminate and throw some error there it self or will it go for the for 3rd object for which again user has access. (user got access to this 3rd object)

can any explain?

Q2. Should the activities be same as in Authority-check.

I mean in Authority check if you give activities 02 and 03 and in user profile if i give only 02 will it work or not?

thanks,

Sun

raviprakash · ‎2008 Nov 17

Hi Sun,

Here are answers to your questions:-


> Q1. I know that ABAP programmers will put Authority check in ABAP code and when program was executed Authority-check will compare whether user has access to this object or not.
> 
> for EX take some tcode ZXYY
> 
> 
> i activated 3 objects out of some 20 objects for this tcode in SU24.
> 
> Authority checks are placed in the program.
> 
> 
> when this tcode was executed and started the ABAP code, then i think it will do the authority check for the first object and if user has the profile to it then it will go for the second authority-check for which if user does not had profile ( i made inactive in role)  will the code terminate  and throw some error there it self or will it go for the for 3rd object for which again user has access. (user got access to this 3rd object)
> can any explain?

Answer: What needs to be done after an authority check is entirely the choice of the developer. Right after the statement AUTHORITY-CHECK, the developers check the value of system variable "SY-SUBRC". Normally if the value is NOT EQUAL to ZERO, means that AUTHORITY CHECK has FAILED. Thus the developer may choose not to continue further.

But if the failure of AUTHORITY-CHECK is not so important, then the developer may even choose to continue further. Thus its more of developer's choice what he/she needs to do after the Success/Failure of the AUTHORITY-CHECK statement.


> Q2. Should the activities be same as in Authority-check.
> 
> I mean in Authority check if you give activities 02 and 03  and in user profile if i give only 02 will it work or not?
> 
> thanks,
> Sun

Answer: Yes this will work fine, provided the allowed activities for the Field ACTVT is 02 and 03 both. So even if one is true, the AUTHORITY-CHECK returns SY-SUBRC = 0.

Regards,

Ravi.

Former Member · ‎2008 Nov 17

Hi Sun

Q1: it depends on issue of the program: it can use the authority-check for two main reasons:

- A) To check if the user can do something: so if he can't, the program should be stopped

- B) To check if the user can see something: so if he can't, the program don't display a certain data.

So if the authorizations have a certain hierarchy, I can suppose the the first authority-check fails, the program shouldn't test the others, but try to elaborate the next data:

LOOP AT ITAB.
  
   AUTHORITY-CHECK OBJECT <OBJ>
      ID <FIELD> FIELD <VALUE>.
  IF SY-SUBRC <> 0.
    CONTINUE. " Check next record
  ELSE.
        AUTHORITY-CHECK OBJECT <OBJ2>
      ID <FIELD> FIELD <VALUE>.

In this situation it's very important the user has all authorization objects of course.

Q2) In AUTHORITY-CHECK OBJECT statament only one value can be checked: so or It checks if the user has 02 or 03, not both together.

So if you give 02, the autority-check will work for 02 only.

Anway the developer can skip the check for a certain fields of a an authority object

AUTHORITY-CHECK OBJECT <OBJ>
        ID ........................................
        ID ACTIVITY FIELD DUMMY.

In this situation the autority-check is not dependent on value of activity.

Max

Sri_S1 · ‎2008 Nov 17

thanks for your help

raviprakash · ‎2008 Nov 17

Hi Sun,

Here are answers to your questions:-


> Q1. I know that ABAP programmers will put Authority check in ABAP code and when program was executed Authority-check will compare whether user has access to this object or not.
> 
> for EX take some tcode ZXYY
> 
> 
> i activated 3 objects out of some 20 objects for this tcode in SU24.
> 
> Authority checks are placed in the program.
> 
> 
> when this tcode was executed and started the ABAP code, then i think it will do the authority check for the first object and if user has the profile to it then it will go for the second authority-check for which if user does not had profile ( i made inactive in role)  will the code terminate  and throw some error there it self or will it go for the for 3rd object for which again user has access. (user got access to this 3rd object)
> can any explain?

Answer: What needs to be done after an authority check is entirely the choice of the developer. Right after the statement AUTHORITY-CHECK, the developers check the value of system variable "SY-SUBRC". Normally if the value is NOT EQUAL to ZERO, means that AUTHORITY CHECK has FAILED. Thus the developer may choose not to continue further.

But if the failure of AUTHORITY-CHECK is not so important, then the developer may even choose to continue further. Thus its more of developer's choice what he/she needs to do after the Success/Failure of the AUTHORITY-CHECK statement.


> Q2. Should the activities be same as in Authority-check.
> 
> I mean in Authority check if you give activities 02 and 03  and in user profile if i give only 02 will it work or not?
> 
> thanks,
> Sun

Answer: Yes this will work fine, provided the allowed activities for the Field ACTVT is 02 and 03 both. So even if one is true, the AUTHORITY-CHECK returns SY-SUBRC = 0.

Regards,

Ravi.

Sri_S1 · ‎2008 Nov 17

thanks for your help

Former Member · ‎2013 Nov 21

Refer Below Code:

IF SY-TCODE = 'CJ40'.

AUTHORITY-CHECK OBJECT 'ZPS_VERSN' "'ZWMM_WERK'

ID 'VERSN' FIELD bpdy-VERSN

ID 'ACTVT' FIELD '01'

ID 'ACTVT' FIELD '02'

ID 'ACTVT' FIELD '03' .

IF SY-SUBRC = 0.

* continue.

elseif SY-SUBRC <> 0.

AUTHORITY-CHECK OBJECT 'ZPS_VERSN' "'ZWMM_WERK'

ID 'VERSN' FIELD bpdy-VERSN

ID 'ACTVT' FIELD '01'.

IF sy-subrc = 0.

* CONTINUE.

ELSEIF sy-subrc <> 0.

AUTHORITY-CHECK OBJECT 'ZPS_VERSN' "'ZWMM_WERK'

ID 'VERSN' FIELD bpdy-VERSN

ID 'ACTVT' FIELD '02'.

IF sy-subrc eq 0 .

* CONTINUE.

ELSEIF sy-subrc <> 0 .

AUTHORITY-CHECK OBJECT 'ZPS_VERSN' "'ZWMM_WERK'

ID 'VERSN' FIELD bpdy-VERSN

ID 'ACTVT' FIELD '03'.

IF sy-subrc = 0.

versn = bpdy-versn.

v_proj = proj-pspid.

wbs = PRPS-POSID.

set PARAMETER ID 'PSP' FIELD v_proj.

set PARAMETER ID 'BP2' FIELD VERSN.

set PARAMETER ID 'PRO' FIELD wbs.

LEAVE TO TRANSACTION 'CJ41' AND SKIP FIRST SCREEN.

ELSEIF sy-subrc ne 0.

MESSAGE 'You are not authorised for this version.' TYPE 'E'.

ENDIF.

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My Account

My Account

RE: Abap Code Flow for Multiple Authorization checks