2009 Jun 17 9:49 AM
Hi All,
We have created a SAP query and infoset for displaying invoices. We want to restrict the users from viewing data of company code for which they don't have display authorization. For instance if user is authorized only for displaying data for US company code then he should not be able to see the data for company Italy. Also the company code parameter is a select option in SAP query.
So the user can enter '*' also. In that case we want to display the data for all company codes for which user is authorized to. We tried to do change in code in infoset on AT SELECTION SCREEN but its not working as the variables in the program generated for query are not visible in Infosets. Please let us know how can we fix this requirement.
KR Jaideep,
2009 Jun 17 10:00 AM
Hi,
Code the Authority-check in section 6 - END-OF-SELECTION.
For example:
AUTHORITY-CHECK OBJECT 'V_KONH_VKO'
ID 'VKORG' FIELD A910-VKORG
ID 'SPART' FIELD '10'
ID 'ACTVT' FIELD '03'.
if sy-subrc <> 0.
MESSAGE 'Insufficient Authorization.Some data is truncated.' TYPE 'I'.
CONTINUE.
endif.
2009 Jun 17 10:00 AM
Hi,
Code the Authority-check in section 6 - END-OF-SELECTION.
For example:
AUTHORITY-CHECK OBJECT 'V_KONH_VKO'
ID 'VKORG' FIELD A910-VKORG
ID 'SPART' FIELD '10'
ID 'ACTVT' FIELD '03'.
if sy-subrc <> 0.
MESSAGE 'Insufficient Authorization.Some data is truncated.' TYPE 'I'.
CONTINUE.
endif.
2009 Jun 17 10:08 AM
Hi Jaideep,
Use AUTHORITY-CHECK to restrict access to the database based on user.
Press F1 on AUTHORITY-CHECK to find out how to use it in the code.
Regards,
Saumya
2009 Jun 17 10:17 AM
instead of concentraeteing on the authorisation checks on company code
check with the at the user level
2009 Jun 17 10:29 AM
Hi,
Go to tcode:SQ03 Usergroup, and enter the name of the usergroup or create a new user group.
Choose Assign Users and InfoSets.Enter the names of those users that are to belong to this user group.
Using Settings -> Without Selection, here you have to enter the names of the users manually.
To be able to make changes to queries, the user requires authorization for the authorization object S_QUERY with the value Change.
Using the pushbuttons:
Change Authorization, Select All, give authorization for all users of a user group.
Change Authorization, Delete All, revoke authorization for all users of a user group.
By clicking on the checkbox before the name of a user to set or delete the indicator, you can give or revoke change authorization for individual users.
Also, assign Infoset and Save.
2009 Jun 17 11:50 AM
Enchace the infoset and into extras at tab CODE and code selection Record Processing
include a code something like following
AUTHORITY-CHECK OBJECT 'F_SKA1_KTP'
ID 'KTOPL' FIELD SKA1-KTOPL
ID 'ACTVT' FIELD '03'.
Check SY-SUBRC EQ '0'.
2009 Jun 17 2:47 PM
Hi All,
Thanks alot for your valuable inputs.
I have made following modifications in the infosets.
*---Authorization for Company code entered by the users.
*---This code will restrict users to see data for company
*---codes which they are not authorized to.
*---Select all the company codes based upon selection entered by the
*---user
SELECT bukrs
FROM t001
INTO TABLE li_bukrs
WHERE bukrs IN bukrs.
IF sy-subrc EQ 0.
*---Clear Screen variable for Company code
CLEAR bukrs.
REFRESH bukrs.
*---Filter and prepare Select options for Company code table to be
*---passed to query. Table will only have values of company codes he is
*---authorized to for display.
LOOP AT li_bukrs INTO lwa_bukrs.
AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
ID 'BUKRS' FIELD lwa_bukrs
ID 'ACTVT' FIELD '03'.
IF sy-subrc = 0.
bukrs-sign = 'I'.
bukrs-option = 'EQ'.
bukrs-low = lwa_bukrs.
bukrs-high = space.
APPEND bukrs.
ELSE.
lv_flag = 'X'.
ENDIF.
ENDLOOP.
*---Give warning message to the user in case he is not authorized to see
*---data for all the company codes that he has entered.
IF lv_flag = 'X'.
MESSAGE ID 'ZF_MSS_FNG' TYPE 'W' NUMBER '015'.
ENDIF.
ENDIF.
2011 Jun 21 10:50 AM
Hello,
I'm sorry to bring that old post but I'm in the same situation.
How and where to add your code in the SAP Query ?
When checking the source code, there is an error after the first select so the query couldn't be generated.
"The IN operator with "BUKRS" is followed neither by an internal table nor by a value list."
I managed to add this code directly into the program by replacing "bukrs" by the select-options object refering to company code (ex: SP$00003), but I'd prefer to maintain all this authorization check inside the SAP Query.
Is there any ABAP developer out there who can't help me achieving this authorization check through SAP Query.
Regards,
Thierry Kennes
2009 Jun 17 2:47 PM
2009 Jul 11 5:49 PM
Hello Jaideep,
How are you..!!
I have a similar requirement regarding Authority checks for selection screen inputs in a SAP Query,
Could you please share the resolution for this issue..!!
Thanks
Best Regards,
Shivaji Gannavarapu
Edited by: SHIVAJI GANNAVARAPU on Jul 11, 2009 10:27 PM
2019 Sep 12 7:49 AM
Hi,
there is a problem with the above mentioned authorization check in SQ02. If you enter * (Wildcard) for e.g. plant field, the authorization check DOSN'T work correct!
Update: I found the solution for the Wildcard * issue. Now it is working fine...
2019 Oct 04 1:24 PM
Hi,
you are right the one marked as "best Answer" doesn't work for range or Wildcard.
I have made a blog post to solve this issue. The blog is inspired by the reply given by Jaideep in this thread on 17 June 2019. The code of Jaideep has just a small error. If the user has not auth at all he will see everything.
https://blogs.sap.com/2015/11/23/custom-authorization-in-sq01-queries/
In the example i'm going to read all Company codes based on the selection then I check the authorization for all of them.
If it succeed I put them back as selection of the query.
This way I ensure that only company codes he is allows are displayed.
You can do the same way with the plant. Read the plants based on the selection from table T001W then make the auth check.
Best regards
Yannick