Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

regarding authorization objects.

Former Member

‎2008 Jan 23 7:44 AM

0 Likes
1,441

hello everyone,

suppose i create a new authorization object then how can i assign particular functionality for that object.

3 REPLIES 3
Read only

Former Member

‎2008 Jan 23 7:51 AM

0 Likes
820

hi vishal,

You should carry out an authorization check before accessing the database. The AUTHORITY-CHECK statement first checks whether the user has the authorization containing all the required values. You then read the code value in the system field SY-SUBRC. If this value is 0, the user has the required authorization and the program can continue. If the value is not 0, the user does not possess the required

authorization and the system outputs an appropriate message.

The system administrator assigns user authorization when maintaining user master data. During this process, you should determine exactly which data users are allowed to access and what kind of access should be allowed. For example, you might want to allow users to display data for all airline carriers, but only allow them to change data for certain selected ones. In this case, the system must look

for a combination of the fields 'activity' and 'airline carrier' each time it performs an authorization check.

This is carried out by an authorization object composed of the fields 'Activity' and 'Airline carrier' that has to be addressed both during the authorization assignment process and whenever your program performs an authorization check.

Authorization objects simply define the combination of fields that need to be addressed simultaneously and serve as templates for both authorizations and authorization checks. They are organized into object classes in order to make it easier to find and administer them; one object class or several may exist in each application. You call the authorization object maintenance transaction from the 'Development'

menu in the ABAP Workbench. A complete list of all development objects, sorted according to class and

including their corresponding fields and documentation, is part of this transaction.

When making authorization checks in programs, you specify the object and values the user needs in an authorization to be able to access the object. You do not have to specify the name of the authorization.

The Authority-Check statement performs the authority check and returns an appropriate return code value. When reading this return code, you can specify yourself the consequences of a missing authorization (for example, program terminates or skips some input lines).

The most important return codes for AUTHORITY-CHECK are:

0: The user has an authorization containing the required values.

4: The user does not have the required authorization.

8: The check could not successfully be carried out since not all fields of the object were specified.

Hope this is helpful, Do reward.

Edited by: Runal Singh on Jan 23, 2008 1:23 PM

Read only

Former Member

‎2008 Jan 25 9:27 AM

0 Likes
820

see the example below

report display_carrier.

parameters p_carrid type scarr-carrid default 'LH'.

AUTHORITY-CHECK

OBJECT 'S_CARRID'

ID 'CARRID' FIELD P_CARRID

ID 'AVTVT' FIELD '03'.

IF SY-SUBRC = 0.

SELECT...

ELSE.

<reaction to missing authorization>

ENDIF.

for detailed info refer SAPBC400DDS_AUTHORITY_CHECK

authorization object S_CARRID

fields:carrid(airline)

actvt(activity)

authorization DISPLAY_ALL

CARRID =

ACTVT =

authorization CHANGE_LH

CARRID = LH

ACTVT = 02

Read only

Former Member

‎2008 Jan 25 10:49 AM

0 Likes
820

Hi,

In general different users will be given different authorizations based on their role in the orgn.

We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.

USe SUIM and SU21 T codes for this.

Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.

If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.

This means you have to allocate an authorization object in the definition of the transaction.

For example:

program an AUTHORITY-CHECK.

AUTHORITY-CHECK OBJECT <authorization object>

ID <authority field 1> FIELD <field value 1>.

ID <authority field 2> FIELD <field value 2>.

...

ID <authority-field n> FIELD <field value n>.

The OBJECT parameter specifies the authorization object.

The ID parameter specifies an authorization field (in the authorization object).

The FIELD parameter specifies a value for the authorization field.

The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.

http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm

To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.

Authorization : An authorization enables you to perform a particular activity in the SAP

System, based on a set of authorization object field values.

You program the authorization check using the ABAP statement AUTHORITY-CHECK.

AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'

ID 'ACTVT' FIELD '02'

ID 'CUSTTYPE' FIELD 'B'.

IF SY-SUBRC <> 0.

MESSAGE E...

ENDIF.

'S_TRVL_BKS' is a auth. object

ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.

The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.

This Authorization concept is somewhat linked with BASIS people.

As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.

Take the help of the basis Guy and create and use.

Sy-SUBRC values

4 User has no authorization in the SAP System for

such an action. If necessary, change the user

master record.

8 Too many parameters (fields, values). Maximum

allowed is 10.

12 Specified object not maintained in the user

master record.

16 No profile entered in the user master record.

24 The field names of the check call do not match

those of an authorization. Either the

authorization or the call is incorrect.

28 Incorrect structure for user master record.

32 Incorrect structure for user master record.

36 Incorrect structure for user master record.

With Regards

Madhu