05-03-2011 11:47 AM
Hi,
I have created a Authorization object for Report ID and ACTVT. Created profiles also for the same and assigned the roles to the required users.
In the program i check as:
AUTHORITY-CHECK OBJECT 'ZAUTH_ATTC'
ID 'REPID' FIELD sy-repid
ID 'ACTVT' FIELD '16'. "Execute
Initially this worked fine only for the users who have this roles. But now its started working for all the users irespective of the roles assigned or not.
Can someone help me on this ?
Thanks
Edited by: Julius Bussche on May 3, 2011 7:52 PM
Subject title made more meaningful...
05-03-2011 12:11 PM
Hi,
Take ST01 authorization trace on the execution of the transaction. Check the report, whether this object is checked during the execution. Depending on the results, take decision.
If user already have that object, then it may be assigned to the users through some different toles. Then remove the role and test.
If user don't have access of the object, and there is no check against the object during execution, then it is problem in program. Check with the respective developer.
If authorization check fails and still the user is able to run the transaction, then also it is a problem with the program. Need to check with the developer.
Regards,
Sandip
05-03-2011 2:05 PM
and in addition.....
If the user definitely doe snot have the authorization, but the authority-check succeeds, propably the auth.-check had been disabled in SU24 for that t-code by setting the check flag to 'no check'.
b.rgs, Bernhard
05-03-2011 2:23 PM
Hi
Thanks for the reply.
But my report program doesn't have any t-code. I have just created a auth object for reportid & actvt.
In my report program Im doing a check only for report id an dactvt.
Can you pls help on how will i configure for this Auth object in SU24?
05-04-2011 3:12 PM
A few inputs from my end.
1. Always associate Custom reports with Custom Z tcodes. In this way you can eliminate running programs from SE38.
2. Update SU24 with the custom auth object.
3. If possible use S_PROGRAM, S_TCODE, Z_***** (Custom Object) in a combination to restrict the report usage and provide this tcode to the user in a seperate role (If sensitive).
In your situation, i would recommend having a Z tcode created and update it with custom Auth object in SU24. That should help in restricting the access.
Rgds,
Sri
02-20-2012 8:33 AM
Hello,
I am facing the same problem: I created the Auth-Object on D-System, transported to Q-System, there the Auth-Check returns sy-subrc = 0 although the user doesn not have the authorization!
How did you resolve the issue?
Thanks
Johannes
05-03-2011 6:47 PM
What happens after the authority-check?
if sy-subrc 0.
"?????
Cheers,
Julius