Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Authorization Access using Custom Table

Go to solution
celo_berger
Active Participant

on ‎2015 Dec 04 9:27 PM

0 Likes
4,450

Hi everyone,

Here's my scenario: I want to restrict the data users can display in BEx queries by a specific list of company codes. The list will be maintained in a custom table that has: USER ID, Sequence No, Company Code

These are the steps I have taken:

1. Made the infoobject 0COMP_CODE Authorization relevant

2. Created a BEx variable of type Customer Exit, ZCOMPCODE and assigned it to 0COMP_CODE in BEx

3. I created a new authorization object in RSECADMIN, ZCOMP, inserted the Special Characters, as well as 0COMP_CODE, and assigned it the variable $ZCOMPCODE created in BEx

4. I assigned ZCOMP to a role and assigned that role to my test user

5. I created code in CMOD in the include ZXRSRU01 to carry out my logic to lookup the custom table with my list of company codes

Here's my issue:

My logic works fine, and the report only returns data for the company codes in the tables, ONLY if I also assigned 0BI_ALL to the S_RS_AUTH .

In other words:

     - if S_RS_AUTH only has ZCOMP, my authorization check fails.

     - if S_RS_AUTH has both ZCOMP and 0BI_ALL my report works

I have two roles assigned to my test user:

Z_COMP only has the S_RS_AUTH object in it

Z_REPORT_USER has all the other authorization based on template S_RS_RREPU. And I have deactivated S_RS_AUTH in it, as Z_COMP has it.

It seems counter intuitive to have to assign 0BI_ALL for my custom security to work, but not being a security person, I might have missed something, and would appreciate any input from the experts out there.

I look forward to your replies.

Marcelo Berger

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
Former Member
‎2020 Mar 01 6:41 AM
0 Likes

I know it is a very old question but have you tried adding an authority variable to the BEx query which refers your newly added object ?

Cause I had an issue in the past that when I was trying to have two seperate BI restrection in my newly created bi authorization it failed in the query until I've added specificly an authority check object in my query which was refering to the newly added object.

So in your scenario if you add an authority object which refers on the 0COMP_CODE object in the bex query

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎2015 Dec 07 12:06 PM
0 Likes

At first glance, your process seems to be correct; can't see any obvious reason why it doesn't work without BI_ALL.

What i can say is that adding BI_ALL is not the solution, as it will nullify the process of ZCOMP, granting all authorizations on all objects that are authorization relevant.

One tip: did you try transaction RSUDO? It allows you to run a query as a certain user via RSRT and give you a log af the authorization checks if there was an error. Will hopefully give you more info on why it fails without 0BI_ALL

Show replies
Show replies
celo_berger
Active Participant
‎2015 Dec 07 6:02 PM
0 Likes

Thanks Tom.

I checked the log, please find it below:

In order to make this easier, please find below all the steps I took:

1. Made the object auth relevant

2. Added the object to BEx

3. Created a variable of type customer exit and assigned to infoobject

4. Created auth object ZCOMP and included all the injoobjects that are authorization relevant, and flagged them as * for all access

5. Restricted the access of 0FCC_ITEM__0COMP_CODE by the variable created in BEx

6. Assigned this auth object to role Z_BW_COMP_CODE_0001

I have another role with all the necessary authorizations for the user to run RSRT, with the exception of S_RS_AUTH which is on the role in step 6

6. I created my custom code to read my custom table in CMOD, include

ZXRSRU01, which works:

CASE i_vnam.

    WHEN 'ZCOMPCODE'.

* Logic to pre-populate the variable screen with values from the custom table

       IF i_step = 1.

      TYPES: BEGIN OF t_comp,

               user TYPE XUBNAME,

               item TYPE posnr_va,

               comp TYPE bukrs,

             END OF t_comp.

      DATA: l_s_range TYPE rsr_s_rangesid,

            lt_comp TYPE STANDARD TABLE OF t_comp,

            wa_comp TYPE t_comp.

* Select company code data from custom mapping table

        SELECT *

        FROM zsec_bukrs

        INTO TABLE lt_comp

        WHERE user_id = sy-uname.

        IF sy-subrc = 0.

          CLEAR: wa_comp, l_s_range.

          LOOP AT lt_comp INTO wa_comp.

            l_s_range-low  = wa_comp-comp.

            l_s_range-sign = 'I'.

            l_s_range-opt  = 'EQ'.

            APPEND l_s_range TO e_t_range.

          ENDLOOP.

        ENDIF.

    ENDIF.

ENDCASE.

* logic to validate the populated values in the selection screen for Company Code

     IF i_step = 3.

           DATA: wa_var_range TYPE RRRANGEEXIT,

                 l_comp       TYPE bukrs.

       CLEAR l_comp.

       LOOP AT i_t_var_range INTO wa_var_range WHERE vnam = 'ZCOMPCODE'.

         l_comp = wa_var_range-low.

         SELECT SINGLE *

         FROM zsec_bukrs

         INTO wa_comp WHERE comp_code = l_comp AND

                              user_id = sy-uname.

           IF sy-subrc NE 0.

             CALL FUNCTION 'RRMS_MESSAGE_HANDLING'

              EXPORTING

                I_CLASS                    = 'RSBBS'

                I_TYPE                     = 'E'

                I_NUMBER                   = '000'

                I_MSGV1                    = 'You are not authorized for Comp Code - '

                I_MSGV2                    = wa_var_range-low

                I_MSGV3                    = ' , Enter different CC - '

                I_MSGV4                    = sy-uname

              EXCEPTIONS

*               DUMMY                      = 1

                OTHERS                     = 2.

             RAISE again.

           ENDIF.

       ENDLOOP.

     ENDIF.


7. I execute the report in RSRT for my test user ZSECTEST, and my initial code works, as it pre-populates the company code values based on the custom table entries:


If I try to add new Company Code values it doesn't allow me, which is fine:


But when I execute, I would expect the report to return for the pre-populated values above, but get an auth error message, which is at the top of this reply:


If I now add the 0BI_ALL to the role, the report runs correctly:

And below is the log:


So here it is. Let me know if this is clearer now, and what I'm doing incorrectly.


Appreciate everyone's help so far.


Thanks,


Marcelo

sander_vanwilligen
Active Contributor
‎2015 Dec 07 7:18 PM
0 Likes

Hi Marcelo,


The overall approach seems to be solid. However, I miss appropriate coding to fill Variable ZCOMPCODE in the context of Analysis Authorization object ZCOMP.


You have to process the Customer-exit Variable at processing step 0, i.e. i_step = 0. Only then it will be processed for authorization.


The solution is in my opinion: add processing step 0 to the current coding as follows:


CASE i_vnam.

    WHEN 'ZCOMPCODE'.

* Logic to pre-populate the variable screen with values from the custom table

       IF i_step = 0 or i_step = 1.

...


Best regards,

Sander


celo_berger
Active Participant
‎2015 Dec 07 7:25 PM
0 Likes

Thank you Sander! I modified the code as you recommended and it worked like a charm! I guess I missed that i_step 0 statement.

Thank you everyone for your help!

Marcelo

celo_berger
Active Participant
‎2016 Jan 05 7:07 PM
0 Likes

Hi All,

The solution above has been working well, but I've come across a new question.

I have now enhanced my custom security table where I have two security values:

USER     COMPCODE       DOCTYPE

ABC         0001:0002           AB:CD:EF

DEF         0001:0002

In the example above, my code works perfectly for user ABC, as there are values for both characteristics.

For user DEF, since DOCTYPE is blank, I would expect that user to have access to all Document Types for the two company codes.

However I'm getting an authorization issue for user DEF that he doesn't have sufficient authorization.

What would be the best approach to fix this? I've tried appending the e_t_range table with * but that's not an acceptable value.

Below is my updated ABAP code in CMOD:

WHEN 'ZDOCTYPE'.

      IF i_step = 0 or i_step = 1.

      TYPES: BEGIN OF t_dctp,

               user TYPE XUBNAME,

               item TYPE posnr_va,

               comp TYPE MI_NODE_TEXT,

               dctp TYPE MI_NODE_TEXT,

             END OF t_dctp.

      DATA: lt_dctp TYPE STANDARD TABLE OF t_dctp,

            wa_dctp TYPE t_dctp,

            lt_doctyp TYPE STANDARD TABLE OF blart,

            v_dt TYPE blart.

*  Get username

       CALL FUNCTION 'RSEC_GET_USERNAME'

        IMPORTING

          E_USERNAME       = l_username.

        SELECT *

        FROM zsec_bukrs

        INTO TABLE lt_dctp

        WHERE user_id = l_username.

       IF sy-subrc = 0.

         CLEAR: wa_dctp, l_s_range, lt_doctyp, v_dt.

          READ TABLE lt_dctp INDEX 1 INTO wa_dctp.

          SPLIT wa_dctp-dctp AT ':' INTO TABLE lt_doctyp.

          IF lt_doctyp[] IS NOT INITIAL.

           LOOP AT lt_doctyp INTO v_dt.

               l_s_range-low  = v_dt.

               l_s_range-sign = 'I'.

               l_s_range-opt  = 'EQ'.

               APPEND l_s_range TO e_t_range.

           ENDLOOP.

          ENDIF.

       ENDIF.

      ENDIF.


Thanks again!


Marcelo

Former Member
‎2016 Jan 06 7:05 AM
0 Likes

Not sure, maybe the l_s_range-opt shold be 'CP' instead of 'EQ' when you have a "*" as the value?

Btw, your code doesn't show a 'catch' of an empty value (changing it to '*') in v_dt coming from your ZSEC_BUKRS table

sander_vanwilligen
Active Contributor
‎2016 Jan 06 7:19 PM
0 Likes

Hi Marcelo,

As Tom already indicated, in the current coding there is not taken care of the case that no document is found. If you want to grant full authorization, then you have to program that (i.e. CP *)

You could enhance the coding as follows:

IF lt_doctyp[] IS NOT INITIAL.

  LOOP AT lt_doctyp INTO v_dt.

    l_s_range-low  = v_dt.

    l_s_range-sign = 'I'.

    l_s_range-opt  = 'EQ'.

    APPEND l_s_range TO e_t_range.

  ENDLOOP.

ELSE.                                                 "<<< new

    l_s_range-low  = '*'.                        "<<< new

    l_s_range-sign = 'I'.                        "<<< new

    l_s_range-opt  = 'CP'.                     "<<< new

    APPEND l_s_range TO e_t_range.  "<<< new

ENDIF.

By the way, I see in the authorization log another issue: Company Code ARG1 is not authorized too.

Best regards,

Sander

Answers (1)

Answers (1)

Former Member
‎2015 Dec 05 5:43 AM
0 Likes

Hi, Please check out these links on this topic.

Bex Query Designer: selection variable, define ... | SCN

Regards

Saad

Show replies
Show replies
celo_berger
Active Participant
‎2015 Dec 05 4:07 PM
0 Likes

Thanks Syed, but I couldn't find anywhere in those posts that specifically answer my question around 0BI_ALL having to be assigned to the role in order for my solution to work.

Best regards,

Marcelo

Ask a Question