15 Replies Latest reply: May 26, 2006 8:33 PM by Saquib Khan, PMP RSS

Authorization check For T code

suchitra baala
Currently Being Moderated

Hi everyone,

 

Can anybody guide to set a  authorization check  for a particular Tcode.

 

I have ztable where users are assigned particular numbers.

 

I want the users who are assigned some numbers should be able to use this particular t code

 

Thanks in advance

  • Re: Authorization check For T code
    Ganesh Mynampati
    Currently Being Moderated

    hi

     

    chk this out

     

    AUTHORITY-CHECK

     

     

    Basic form

    AUTHORITY-CHECK OBJECT object

        ID name1  FIELD f1

        ID name2  FIELD f2

        ...

        ID name10 FIELD f10.

     

     

     

    Effect

    Explanation of IDs:

     

     

    object

    Field which contains the name of the object for which the authorization is to be checked.

     

     

    name1 ...

    Fields which contain the names of the

    name10

    authorization fields defined in the object.

     

     

    f1 ...

    Fields which contain the values for which the

    f10

    authorization is to be checked.

     

     

    AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).

    You must specify all authorizations for an object and a also a value for each ID (or DUMMY).

    The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.

    If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.

    If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.

    The return code value changes according to the different error scenarios. The return code values have the following meaning:

     

     

    4

    User has no authorization in the SAP System for such an action. If necessary, change the user master record.

    8

    Too many parameters (fields, values). Maximum allowed is 10.

    12

    Specified object not maintained in the user master record.

    16

    No profile entered in the user master record.

    24

    The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.

    28

    Incorrect structure for user master record.

    32

    Incorrect structure for user master record.

    36

    Incorrect structure for user master record.

     

    If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.

    Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.

     

     

     

    Note

    Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.

    The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.

     

     

     

    Example

    Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:

     

    Table OBJ: Definition of authorization object

     

    M_EINF_WRK

       ACTVT

       WERKS

     

     

    Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations

     

    M_EINF_WRK_BERECH1

       ACTVT 01-03

       WERKS 0001-0003 .

     

    can display and change plants within the Purchasing and Materials Management areas.

     

    Such a user would thus pass the checks

     

     

     

    AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

        ID 'WERKS' FIELD '0002'

        ID 'ACTVT' FIELD '02'.

     

    AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

        ID 'WERKS' DUMMY

        ID 'ACTVT' FIELD '01':

     

     

     

    but would fail the check

     

     

    AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

        ID 'WERKS' FIELD '0005'

        ID 'ACTVT' FIELD '04'.

     

     

     

    To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK

  • Re: Authorization check For T code
    Venkatalaxmi Vadlamani
    Currently Being Moderated

    HI,

     

    You can use function module AUTHORITY_CHECK_TCODE for this. Some thing like,

     

    CALL FUNCTION 'AUTHORITY_CHECK_TCODE'

    EXPORTING

    TCODE = <Your Tcode here>

    EXCEPTIONS

    OK = 0

    NOT_OK = 1

    OTHERS = 2.

    IF sy-subrc <> 0.

    ****No Authorization

    ENDIF.

     

    Regards.

    Laxmi

  • Re: Authorization check For T code
    ASWIN CHANDRASEKARAN
    Currently Being Moderated

    Hi,

    Probably you can try that in transactions SU20 and SU21.

     

    Check this thread:

    Re: Security reports

    Regards,

    Aswin

  • Re: Authorization check For T code
    Latheesh Kaduthara
    Currently Being Moderated

    Hi,

     

    refer this thread:

    How to create Authorization objects for TCODE.

     

     

    rgds,

    latheesh

  • Re: Authorization check For T code
    NAVEEN KUMAR GUDURI
    Currently Being Moderated

    hi Suchitra,

     

     

    Take one user, find a role , by going in SU01 ->user name ->roles tab -> pick up Z:role or whatever . Go to tr.PFCG and paste that role -> hit display and ->click authorization tab ->you’ll see glasses sign -> click it after that a screen will come hit find and in object write "S_tcode" it`ll show you the place where you have to place the T-code for user .

     

     

    Normally this is done by security, but it might help you ,.!!

     

     

    you can also see security reports in this thread !!

     

     

    Re: Security reports

     

     

    go thru the link to know abt the concept & creation of authorizaition

     

    http://help.sap.com/saphelp_bw21c/helpdata/en/52/6712ac439b11d1896f0000e8322d00/frameset.htm

     

     

     

    Hope this’ll give you idea!!

     

    Regards,

    Naveen

  • Re: Authorization check For T code
    keerthi kiran varanasi
    Currently Being Moderated

    hi suchitra,

    check this link:

    www.geocities.com/victorav15/sapr3/abapfun.html - 96k -

     

    regards,

    keerthi.

  • Re: Authorization check For T code
    Vikram Jalali
    Currently Being Moderated

    Hi Suchitra,

     

    You can set authorisation check for the particular user by having a look up between sy-uname(user) and your ztable records. If there is a match, then user can proceed else come out of transaction.

     

    You can put your code in AT SELECTION-SCREEN event of the program.

     

    AT SELECTION-SCREEN.

     

    select single auth_num from ztable where zuser = sy-uname.

    if sy-subrc <> 0.

    message 'User not authorised'.

    endif.

     

    There are some other ways to restrict access based on authorisation like use of authority-check statement or

    You can directly link authorization objects with transaction codes in SE93 tcode. You can enter values for the fields of an authorization object in the transaction maintenance. Before the transaction is executed, the system compares these values with the values in the user master record and only starts the transaction if the appropriate authorization exists.

    Suggest you should go thru following link :

    http://help.sap.com/saphelp_erp2004/helpdata/en/9f/dbaccb35c111d1829f0000e829fbfe/frameset.htm

    Since you are using ztable to check authorisation, first method should suffice your requirement.

     

    Cheers,

    Vikram

     

    Please reward for helpful replies!!

  • Re: Authorization check For T code
    suchitra baala
    Currently Being Moderated

    Hi everyone,

     

    I am getting lost in t code authorization.

     

    Can anybody tell little bit clearly how to go about creating authorization for at Tcode.

    Ihave a ztable in which the authorized users are assigned a number.Iwant the T-code be accessible to only those users who are assigned a numbers in z table.

     

    Hope iam clear.

     

    Thanks in advance.

     

    Suchitra

    • Re: Authorization check For T code
      Saquib Khan, PMP
      Currently Being Moderated

      Let me repeat the scenario ..!! You’re saying you have built up one Ztable in which you have users and Numbers .

      User execute certain transaction<b>  NOT transactions?</b>.

      On that transaction you want to see user in the Ztable that assigned to user as well as for number  or not ?

       

      _well if it standard transaction you don’t need to do all this hustle and haggle. If it Standard transaction let me know the transaction ? You can simple handle it by objects and roles .

       

      -If its Z transaction still you can handle it . but if you want to restrict them on certain numbers. You can build up a logic in your program and include that transaction code in Ztable too .  So you can check sy-uname with your Ztable and fill up the data which user can or cant see ... OR  put some 1 flag parameter in your table like Authorization = 'X" . You can use it in this way .

       

      As far as executing the T-code , that you can assign to the user profile in Tr.PFCG . by going in to "authorization tab " and object = S_tocde .

       

       

      Hope this’ll give you idea!!

      <b>P.S award the points.</b>

      Good luck

      Thanks

      Saquib Khan

      "Some are wise and some are otherwise"

       

       

      • Re: Authorization check For T code
        suchitra baala
        Currently Being Moderated

        Hi Saquib Khan,

         

        First of all i like to thank you for your time.

         

        I have wrriten code for a module pool program and created a transaction zxya.Now i have  a ztable lets say zdef which contains usernames and numbers-...

        Now when i want to authorize only those users who are present in zdef.

        Please let me know how should i proceed.(i think i should compare with user name  right ? do i have to write code for that in PAI or is there any other way i.e i mean through se93 or su21 or....

         

        please let me know your valuable advice.

         

        waiting for your reply.

         

        Hope iam clear this time

         

        Suchitra

        • Re: Authorization check For T code
          Saquib Khan, PMP
          Currently Being Moderated

          Pl... follow the logic which Vikram Jalali  explain you in PAI.... Check Sy-uname in PAI . If it has entry in your Ztable ok " otherwise " just through "Error" message ...!! In this case you don’t need SE93 or su21 . As you want to check the authorization in the t-code.

           

          FYI

           

          If you want to check your Z-code ,I mean you want restrict on that then you have to assign the your T-code to user role in Tr.PFcg .

           

           

           

          Hope this’ll give you idea!!

          <b>P.S award the points.</b>

          Good luck

          Thanks

          Saquib Khan

          "Some are wise and some are otherwise"

  • Re: Authorization check For T code
    Vikram Jalali
    Currently Being Moderated

    Hi Suchitra,

    Since you are using module pool program, you need to validate the sy-uname with the users in the ztable in PAI module.

     

    select field1 from ztable where field1 = sy-uname.

    if sy-subrc  <> 0;

    < user is not authorised,leave to main screen>.

    endif.

     

    This should suffice your requirement.

     

    Another way,if you were not using ZTABLE would have been attaching authorization object to the transaction and assigning this object to the user profile of the users who should be allowed to use this transaction.

     

    Cheers,

    Vikram

     

    Please reward for helpful replies.

Actions