I have created a Authorization object for Report ID and ACTVT. Created profiles also for the same and assigned the roles to the required users.
In the program i check as:
AUTHORITY-CHECK OBJECT 'ZAUTH_ATTC'
ID 'REPID' FIELD sy-repid
ID 'ACTVT' FIELD '16'. "Execute
Initially this worked fine only for the users who have this roles. But now its started working for all the users irespective of the roles assigned or not.
Can someone help me on this ?
Edited by: Julius Bussche on May 3, 2011 7:52 PM
Subject title made more meaningful...
Take ST01 authorization trace on the execution of the transaction. Check the report, whether this object is checked during the execution. Depending on the results, take decision.
If user already have that object, then it may be assigned to the users through some different toles. Then remove the role and test.
If user don't have access of the object, and there is no check against the object during execution, then it is problem in program. Check with the respective developer.
If authorization check fails and still the user is able to run the transaction, then also it is a problem with the program. Need to check with the developer.
A few inputs from my end.
1. Always associate Custom reports with Custom Z tcodes. In this way you can eliminate running programs from SE38.
2. Update SU24 with the custom auth object.
3. If possible use S_PROGRAM, S_TCODE, Z_***** (Custom Object) in a combination to restrict the report usage and provide this tcode to the user in a seperate role (If sensitive).
In your situation, i would recommend having a Z tcode created and update it with custom Auth object in SU24. That should help in restricting the access.