3 Replies Latest reply: Feb 27, 2012 12:53 PM by Jordi S. RSS

How to list Auth Objects from standard Function Module / BAPI

Jordi S.
Currently Being Moderated

Hi,

 

I would like to know if there is any transaction or report to get auth objects checked in standard function module or BAPI.

My requirement is the following:

I have created a program that call the BAPI BAPI_COSTCENTER_GETDETAIL1. the I hace crated a Z transaction code and I have associated to the program.

Next I need to asign auth objects for Z transaction through SU24.

 

With ST01 I found that autorization for object K_CSKS is needed. This is due to in BAPI_COSTCENTER_GETDETAIL1 internally (depth function modules) executes an autority-check statement for this object. This behaviour is with a user that have no SAP_ALL. WIth my user, when I tested the funtionality of the program was correct.

 

Now, in order to avoid future problems in developments due to autority objects, I would know if transaction or report exist, Maybe likes SU24 for standard tcodes, but for function modules, clases, etc..

 

I think that something has been implemented in this way by SAP.  Otherwise how do you know the auth-objects needed for a Z program,?

 

Thanks in advance

 

Edited by: jordis on Feb 24, 2012 5:03 PM

  • Re: How to list Auth Objects from standard Function Module / BAPI
    Martin Voros
    Currently Being Moderated

    Hi,

     

    there is no report like that. Sometimes BAPI documentation contains a list of authorization objects that are checked. But this is not true for all BAPIs. So the only think what you can do is to run ST01. Authorization checks might change based on input but most of the time ST01 captures all objects.

     

    Cheers

    • Re: How to list Auth Objects from standard Function Module / BAPI
      Julius von dem Bussche
      Currently Being Moderated

      Hi Martin,

       

      A SAP note will soon be released about this (compatible back to 6.40)

       

      There is a light version available in 7.3 to transfer data between PFCG and ST01.

       

      There is an optional Rolls-Royce version available for Z-codes / functions and the import parameter specific checks. The trick is to keep the original context of the call and maintain the proposals to the RFC enabled entry point, and know whether the tcode triggered it or the external caller.

       

      There is a service delivered which is context sensitive (e.g. the message type of the IDOC determines the application authorizations needed for synchronous processing, so SAP cannot deliver SU24 reliable proposals and the ones they tried for the /SDF/ are very isolated..).

       

      You need a "common functions" role for the basic scenarios like you have for interactive SAPGUI end-users, and then you need a runtime analyzer to perfect SU24 context sensitively. You also need to distinguish between a local BAPI (context is tcode) and remote one (context is RFC protocol, or http protocol... etc)

       

      That comes with the SAP Note...  (it is not released yet. I will update this with the number in the next weeks.)

       

      --> Just a little heads-up and insight that there is some light at the end of the tunnel and you can even order it as a service from SAP to fix your Z-problems for you. The question happened to match that which I know SAP is working on.

       

      Cheers,

      Julius

       

      Disclaimer : I have done many such spagetti fixes in the wild and developed the tool and services for customer scenarios together with SAP from my experiences, it is one of my favourite topics --> the Rolls-Royce version with Z-functions, hard-wired external RFC clients and configuration scenario dependent checks includes consulting fees if you want SAP to secure your own scenarios for you. The tools help this, but you cannot fully automate or propose it fro SU24 in "factory settings".

      • Re: How to list Auth Objects from standard Function Module / BAPI
        Jordi S.
        Currently Being Moderated

        ok,

         

        So with all, I think that the correct procedure when a developer delivery a program with its Z transaction is previously pass the ST01 in order to asign the objects uses through SU24. In this way the work to assign roles will be less and easy with PFCG.

         

        Another question related with that, is possible to have nested autority-checks? so although I have check the objets with ST01 maybe dependending on the input parameteres the objects cheked could be different. This is was Martin comments. So this case can not be avoided (except if a developer or tester checks all input parameter possibilietes) until autorization incident been reported by productive user.

         

        Do you consider correct this explanations? Is there any documentation / course related with this topic or how do create customer programs taking account autorizations?

         

        Thanks

         

        Edited by: jordis on Feb 27, 2012 12:51 PM

        • Re: How to list Auth Objects from standard Function Module / BAPI
          Julius von dem Bussche
          Currently Being Moderated

          So with all, I think that the correct procedure when a developer delivery a program with its Z transaction is previously pass the ST01 in order to asign the objects uses through SU24. In this way the work to assign roles will be less and easy with PFCG.

          I could not have said that better than you did..  Exactly that is the best practice approach! The developer or the customizing consultant knows most about what the interface is actually going to be doing and what it will need and what not when they implement it, however it is only once in a blue moon that SU24 is maintained for anything other than a transaction code.

           

          See [SAP Note 1682316 - Optimizing RFC user authorizations|https://service.sap.com/sap/support/notes/1682316] mentioned above.

           

          Cheers,

          Julius

  • Re: How to list Auth Objects from standard Function Module / BAPI
    Shrinivasan Venkatachalam
    Currently Being Moderated

    Use the program RSABAPSC

     

    Regards,

    Shrinivasan KV

Actions