-
Products and Technology
By Category
-
Groups
Activity Groups
Industry Groups
Influence and Feedback Groups
Interest Groups
Location Groups
Customer Only Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
Products
- Autonomous Enterprise
- Artificial intelligence
- Data and analytics
- Autonomous Suite
- Technology platform
- Transformation management
- Midsize business solutions
- Financial management
- Spend management
- Supply chain management
- Human capital management
- Customer experience
- Enterprise resource planning
- Business network
- Sustainability management
- SAP Store
- Try SAP
- View all industries
- Partners
- Services
Learning and Support
-
- Products and Technology
- Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
- Explore SAP
-
Products
- Products
- Autonomous Enterprise
- Artificial intelligence
- Data and analytics
- Autonomous Suite
- Technology platform
- Transformation management
- Midsize business solutions
- Financial management
- Spend management
- Supply chain management
- Human capital management
- Customer experience
- Enterprise resource planning
- Business network
- Sustainability management
- SAP Store
- Try SAP
- View all industries
- Partners
- Services
- Learning and Support
- About
- SAP Community
- Groups
- Interest Groups
- Application Development and Automation
- Discussions
- Use of Authorization Object
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Use of Authorization Object
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2008 Dec 16 3:46 PM
- SAP Managed Tags
- Security
Hi,
I have a query reqgrding the use of authorization objects.
I have developed 9 custom programs for 9 departments in the organization .These transactions (programs) will be executed by different indiividuals for different plants.
In the sel screen of all programs ,I have a field called PLANT.Now i need to check whether the user who is executing the trasnaction is authorized for that particular plant which he enters in the sel screen.For this i have thought of 2 solutions:
1.Create different roles as many plants in the system and the last 4 characters of the Role name will have the PLANT ID.Then in my program,when the plant field is enetered,check the last 4 characters of the role assigned to the user and acc cehcek whether he is authorized to use the trasnction for that plant.
2.Create an autorization object for the role using the plant key and then check whether the user is authorized or not.
Can nayone suggest which of the above 2 methods is the correct way of doing the reuirement stated above.I know auth object is the SAP std way but I dont know the pro's and con's of using authorization object.Can anyone please suggest.
<removed_by_moderator>
Edited by: Julius Bussche on Dec 17, 2008 1:03 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2008 Dec 16 3:56 PM
- SAP Managed Tags
- Security
I'm sure there is already an authorisation object for plant, this needs to be added to your programs at the selection screen.
In terms of roles, you can create a parent role which has the plant object in it, then create child roles with the different values for plants. Then any changes you make to the parent role (adding new objects) will be reflected in the child roles with no extra maintaining.
You might also get more answers if you posted this in the 'Authorisations' forum.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2008 Dec 16 8:05 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2008 Dec 17 12:04 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2008 Dec 16 10:31 PM
- SAP Managed Tags
- Security
Hi,
Please check in table TOBJ, this table includes all the authorization object, pick up the correct authorization object based on the object class of your program.
For eg. if your program is MM related, you can use authorization object
M_MATE_MZP
Similarly you can find for other area's.
With best regards,
Navneet Chaubey
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2008 Dec 17 4:23 AM
- SAP Managed Tags
- Security
Hi,
There is no doubt that authorization object is the standard SAP recommended way of providing authorizations. You can use one the standard delivered objects if it suits your requirements only make use of the fields WERKS and create your own customized object.
But, make sure that you include this object within your program code for Authority-Check.
And as you have already mentioned you can have different roles for different plants and assigned to users accordingly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2008 Dec 17 7:40 AM
- SAP Managed Tags
- Security
To do this properly, e.g. more or less like SAP does it, you must understand the following.
For proper authorization check(s) to happen, they will have to be coded into the program.
Inside an ABAP program, authorizations checks against the current user's authorization profiles - the whatsits generated from authorization data contained within a role - are performed by an ABAP statement AUTHORITY-CHECK. Your ABAP programmer must know how to work one into a program. It is very simple, but you will have to specify what authorization object you want to have.
Choosing an authorization object to use can be very easy. Or not. It all depends on what the program does and what You are trying to protect. Sometimes, it can be beneficial to create your own custom authorization object, but more often then not using SAP standard object is a better choice.
You said that on the selection screen of the transaction you have a field 'Plant' (actual field name is 'WERKS'). This should be one of the fields a potential authorization object must have.
Next, we must understand what activities with data the program provides for the user. Does it simply display some data or does it allow for change or even creation of data? Either way, a potential authorization object should have a field 'ACTVT'.
Two fields should be enough and this narrows down the choice of authorizations objects (in my release) to 91. To narrow it down even more, you should consider what type of data does the program work with - this will let us choose an object class (which, to the best my knowledge, is simply a way of grouping authorization objects based on functional SAP area and has no bearing on the functionality of the object). Without knowing, it is hard for me to suggest anything here. However, this should narrow the search down a few objects you can easily choose from and you probably want to disregard any objects that have more fields then are really required.
Once your chosen authorization object is implemented into the program, I suggest you enter it as a Checked/Maintained object for the transaction in question and add default field values (you probably want to leave the 'WERKS' field blank and only will in 'ACTVT'), using transaction SU24. This will help you with role maintenance.
Now all that is left is to maintain the roles. Since you have 9 departments, I'm assuming you will have 9 roles, each giving authorizations for different plants. Then you can assign a role to a user, depending on his/her department.
Well. This is certainly one way to do it.
Bluesky