2010 Jun 29 11:47 PM
Hi
We've created an 'Z' autorization object through SE21 and we added to a Rol, but it doesn't work. The point is an user only can see documents with an specific Requisitoner code, which step is missing for this??.
Thanks in advance.
2010 Jun 30 12:26 AM
Tokio,
Its quite common suitation:
1.To create the authorization object, choose the SU21 transaction.
2. First double-click an object class to select it.
3. Provide the name of the object and relevant text
4. Add the fields that should be included in the new
authorization object.
5. Hit Save.. once you click on save it'll ask for
package details (select the relevant package from the drop down list) and save again.
6. New auth objected is created now.
7. Click on permitted activities to select the activities and save the changes.
Add this newly created custom authorization object to the tcode thru Su24 and maintain it as Check maintain.
You need to change the code for the transaction to include an authority-check on your object. Just creating it and adding it to a role will do nothing. ( consult ABAPer for this step)
After this go to PFCG -> enter the role name -> change-> add the tcode in menu -> Auth tab -> export mode ->read old status and merge with new data -> in auth you will see the object -> generate it / do user comparsion.
For addtional check information follow martin advice
still if you have doubts
http://www.sapnet.ru/viewtopic.php?p=8417
Thanks,
Sri
2010 Jun 30 12:07 AM
Hi,
I guess you meant SU21. Anyway, just definition of authorization object is not enough to introduce new authorization check. The authorization check for your custom object needs to performed somewhere in the code. If you want to add additional check for transactions ME2xN then you need to look for suitable user exit or enhancement point where you could perform additional authorization check. Have a look at BADI ME_PROCESS_PO_CUST. Maybe reading documentation about authorization concept in SAP would give you better overall view what you need to do.
Cheers
2010 Jun 30 12:16 AM
Hi,
I totally agree with Martin,
I had a similar situation once for a process team they created a custom transaction
and they needed it to be added to a role:
They needed it to work for a specific location, so without a authority check it could not happen
So our security team did is created a custom autorization object, custom authorization field handed over the information to the ABAP developer recommended to place those to perform authority checks in their code.
When they came back after this , we added the object/Field name and also populated the required values it all worked great.
2010 Jun 30 12:26 AM
Tokio,
Its quite common suitation:
1.To create the authorization object, choose the SU21 transaction.
2. First double-click an object class to select it.
3. Provide the name of the object and relevant text
4. Add the fields that should be included in the new
authorization object.
5. Hit Save.. once you click on save it'll ask for
package details (select the relevant package from the drop down list) and save again.
6. New auth objected is created now.
7. Click on permitted activities to select the activities and save the changes.
Add this newly created custom authorization object to the tcode thru Su24 and maintain it as Check maintain.
You need to change the code for the transaction to include an authority-check on your object. Just creating it and adding it to a role will do nothing. ( consult ABAPer for this step)
After this go to PFCG -> enter the role name -> change-> add the tcode in menu -> Auth tab -> export mode ->read old status and merge with new data -> in auth you will see the object -> generate it / do user comparsion.
For addtional check information follow martin advice
still if you have doubts
http://www.sapnet.ru/viewtopic.php?p=8417
Thanks,
Sri