Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

authorization-checks

Former Member
0 Kudos

Hi all. How can I find out which authorization-checks are done when the function module is called?

tia, regards,

Nikolai

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hi ,

When a user starts a transaction, the system performs the following checks:

· The system checks in table TSTC whether the transaction code is valid and whether the system administrator has locked the transaction.

· The system then checks whether the user has authorization to start the transaction.

The SAP system performs the authorization checks every time a user starts a transaction from the menu or by entering a command. Indirectly called transactions are not included in this authorization check. For more complex transactions, which call other transactions, there are additional authorization checks.

  • The authorization object S_TCODE (transaction start) contains the field TCD (transaction code). The user must have an authorization with a value for the selected transaction code.

  • If an additional authorization is entered using transaction SE93 for the transaction to be started, the user also requires the suitable defined authorization object (TSTA, table TSTCA).

If you create a transaction in transaction SE93, you can assign an additional authorization to this transaction. This is useful, if you want to be able to protect a transaction with a separate authorization. If this is not the case, you should consider using other methods to protect the transaction (such as AUTHORITY-CHECK at program level).

· The system checks whether the transaction code is assigned an authorization object. If so, a check is made that the user has authorization for this authorization object.

The check is not performed in the following cases:

You have deactivated the check of the authorization objects for the transaction (with transaction SU24) using check indicators, that is, you have removed an authorization object entered using transaction SE93. You cannot deactivate the check for objects from the SAP NetWeaver and HR areas.

This can be useful, as a large number of authorization objects are often checked when transactions are executed, since the transaction calls other work areas in the background. In order for these checks to be executed successfully, the user in question must have the appropriate authorizations. This results in some users having more authorization than they strictly need. It also leads to an increased maintenance workload. You can therefore deactivate authorization checks of this type in a targeted manner using transaction SU24.

  • You have globally deactivated authorization objects for all transactions with transaction SU24 or transaction SU25.

  • So that the entries that you have made with transactions SU24 and SU25 become effective, you must set the profile parameter AUTH/NO_CHECK_IN_SOME_CASES to “Y” (using transaction RZ10).

All of the above checks must be successful so that the user can start the transaction. Otherwise, the transaction is not called and the system displays an appropriate message.

Have a look at below link. It will help you for sure.

http://help.sap.com/saphelp_nw04s/helpdata/en/52/67129f439b11d1896f0000e8322d00/content.htm

or kindly check

The easiest way is brows the table USOBT for the authorization objects for a tcode.

Reward pts if found usefull:)

Regards

Sathish

8 REPLIES 8

Former Member
0 Kudos

User Authorization Checks

Definition

The authorization to carry out various archiving object programs is checked by the authorization object S_ARCHIVE. The Archive Development Kit (ADK) performs the check when an archive file is opened for one of the following actions:

· Write

· Delete

· Read

· Reload

Use

The following authorizations can be given per archiving object and solution, (such as mySAP Financials or mySAP Human Resources):

· Everything is allowed

Write, read, and reload archives; execute delete programs; change mode in archive management

· Change mode in archive management

Maintain notes

· Read and analyze archives and display mode in archive management

There may also be additional access authorization checks for specific application components.

rewards point if useful.

Former Member
0 Kudos

breakpoint at Statement "authority_check"

Former Member
0 Kudos

Hi,

In FM there has to be a Authority-Checks , Find the corresponding object , go to SU21 and 20 , whre you will get a fileds.

Reward if useful!

Former Member
0 Kudos

Start transaction st01 and enable the trace for "authority check".

Start your programm and when it is done disable the trace.

Then choose analysis and all the checks will be displayed.

Hope this help,

Abhay.

<b>Please reward all participants</b>

Former Member
0 Kudos

Authorization Checks in Your Own Developments

Each time a transaction is started, the system automatically checks for authorization object S_TCODE. This check is also executed for any transactions that you created yourself.

If you use the Profile Generator to generate your authorization profiles automatically, the authorizations for the authorization object S_TCODE are contained in the profiles.

You can also add your own authorization checks to protect critical points in your ABAP programs.

If you call a transaction indirectly, that is from another transaction, the authorization check is not automatically performed. You must use transaction SE97 to set the check indicator check for the entry for the pair of calling and called transaction to ensure that the called transactions are also subject to an authorization check (see SAP Note 358122).

Adding Authorization Checks to Programs

In order to maintain authorization objects and fields, you need access to the authorization object Authorizations (S_USER_AUT).

To add authorization checks to programs, you need to do the following:

...

1. Create an Authorization Field

2. Create an Authorization Object

3. Programming Authorization Checks

Use the ABAP AUTHORITY-CHECK statement. Specify alphabetic values in uppercase letters: ABC. Test values from user master records are converted to uppercase before being passed to AUTHORITY-CHECK.

<b>rewards if useful</b>

Former Member
0 Kudos

There is a function module which has the authorization code check in it. SUSR_AUTHORITY_CHECK_SIMULATE you may find it in your WebAS/R3.

This will check if your user has the corresponding authorization objects assigned ot that person or not during RUNTIME.

you may copy paste the relevant code to into your Zreport and accomplish your purpose

Regards

Abhay SIngh.

<b>rewards point if useful.</b>

Former Member
0 Kudos

In general different users will be given different authorizations based on their role in the orgn.

We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.

USe SUIM and SU21 T codes for this.

Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.

If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.

This means you have to allocate an authorization object in the definition of the transaction.

For example:

program an AUTHORITY-CHECK.

AUTHORITY-CHECK OBJECT <authorization object>

ID <authority field 1> FIELD <field value 1>.

ID <authority field 2> FIELD <field value 2>.

...

ID <authority-field n> FIELD <field value n>.

The OBJECT parameter specifies the authorization object.

The ID parameter specifies an authorization field (in the authorization object).

The FIELD parameter specifies a value for the authorization field.

The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.

http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm

To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.

Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.

You program the authorization check using the ABAP statement AUTHORITY-CHECK.

AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'

ID 'ACTVT' FIELD '02'

ID 'CUSTTYPE' FIELD 'B'.

IF SY-SUBRC <> 0.

MESSAGE E...

ENDIF.

'S_TRVL_BKS' is a auth. object

ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.

The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.

This Authorization concept is somewhat linked with BASIS people.

As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.

Take the help of the basis Guy and create and use.

Thanks

Abhay.

<b>rewards point if useful....</b>

Former Member
0 Kudos

Hi ,

When a user starts a transaction, the system performs the following checks:

· The system checks in table TSTC whether the transaction code is valid and whether the system administrator has locked the transaction.

· The system then checks whether the user has authorization to start the transaction.

The SAP system performs the authorization checks every time a user starts a transaction from the menu or by entering a command. Indirectly called transactions are not included in this authorization check. For more complex transactions, which call other transactions, there are additional authorization checks.

  • The authorization object S_TCODE (transaction start) contains the field TCD (transaction code). The user must have an authorization with a value for the selected transaction code.

  • If an additional authorization is entered using transaction SE93 for the transaction to be started, the user also requires the suitable defined authorization object (TSTA, table TSTCA).

If you create a transaction in transaction SE93, you can assign an additional authorization to this transaction. This is useful, if you want to be able to protect a transaction with a separate authorization. If this is not the case, you should consider using other methods to protect the transaction (such as AUTHORITY-CHECK at program level).

· The system checks whether the transaction code is assigned an authorization object. If so, a check is made that the user has authorization for this authorization object.

The check is not performed in the following cases:

You have deactivated the check of the authorization objects for the transaction (with transaction SU24) using check indicators, that is, you have removed an authorization object entered using transaction SE93. You cannot deactivate the check for objects from the SAP NetWeaver and HR areas.

This can be useful, as a large number of authorization objects are often checked when transactions are executed, since the transaction calls other work areas in the background. In order for these checks to be executed successfully, the user in question must have the appropriate authorizations. This results in some users having more authorization than they strictly need. It also leads to an increased maintenance workload. You can therefore deactivate authorization checks of this type in a targeted manner using transaction SU24.

  • You have globally deactivated authorization objects for all transactions with transaction SU24 or transaction SU25.

  • So that the entries that you have made with transactions SU24 and SU25 become effective, you must set the profile parameter AUTH/NO_CHECK_IN_SOME_CASES to “Y” (using transaction RZ10).

All of the above checks must be successful so that the user can start the transaction. Otherwise, the transaction is not called and the system displays an appropriate message.

Have a look at below link. It will help you for sure.

http://help.sap.com/saphelp_nw04s/helpdata/en/52/67129f439b11d1896f0000e8322d00/content.htm

or kindly check

The easiest way is brows the table USOBT for the authorization objects for a tcode.

Reward pts if found usefull:)

Regards

Sathish