Skip to Content

AUTHORITY-CHECK OBJECT always returns SY-SUBRC = 0

Hello,

I'm an SD consultant, and I need help with something related to ABAP.

We made a custom authorization object of Z_KONH_KLS, to control which values of condition types the users can see based on the pricing procedure name (KALSM) and step number (STUNR). So, if user viewed a Sales Order document that has different pricing procedure set in the authorization object, all values of condition types won't appear; or if both pricing procedure in authorization object and SO are the same, the user can only view the values until step number set in the authorization object.

We've been using this method in one of our server (4.6C version) for years.

One of the users asked to bring the same method to the other server (SAP ERP Central Component 5.0 version). However, when we debug the new code brought from 4.6C version, the sy-subrc always returns 0.

These are the roles:

4.6C version role-1.png

SAP ERP Central Component 5.0 version role-2.png

The pricing procedure used in both servers have different names, but same content. Step 174 and beyond, we use it for VPRS, which we don't want user to see the value.

Here's the debug result - left is 4.6C version, right is SAP ERP Central Component 5.0 version debug-result.png

In SAP ERP Central Component 5.0 version of server, no matter what KALSM I give, it always returns sy-subrc = 0.

Can anyone help what is the cause why it always returns sy-subrc = 0 and how to fix it, despite the same code has been used in other server for years without problem?

Thanks,

role-1.png (14.3 kB)
role-2.png (14.3 kB)
debug-result.png (88.0 kB)
Add a comment
10|10000 characters needed characters exceeded

  • What is the SAP_BASIS release of the newer system (and what is the kernel release)?
    Is the authority check taking place during update processing? (including local update)

  • What does SU56 show for your test users? By examining the user buffer you can see which authorizations they really have and through which role/profile they get them.

    A bit more of a long shot: What are the SU24 settngs for VA03 and your custom object?

  • (continued)

    • The pricing procedure used in both servers have different names, but same content. Step 174 and beyond, we use it for VPRS, which we don't want user to see the value.
    • Here's the debug result - left is 4.6C version, right is SAP ERP Central Component 5.0 version

    • In SAP ERP Central Component 5.0 version of server, no matter what KALSM I give, it always returns sy-subrc = 0.
    • Can anyone help what is the cause why it always returns sy-subrc = 0 and how to fix it, despite the same code has been used in other server for years without problem?

    + These comments:

    • Can you do a SU53 or a ST01 authorization log trace ?
    • SU53 gave me V_VBAK_VKO to be checked.
    • While ST01 gave me [all authorization checks Z_KONH_KLS successful]

    • Are you comparing (debugging) both systems in development environment? Did you check if user in both systems has the same roles assigned? Are the roles defined in the same way?
    • I debug both systems in QA environment since our development server doesn't have proper roles. The two roles have different names and different authorization (like Sales Org, Document Type, etc) since both are for different company, but the roles have same function of sales admin.
    • Have you checked other roles and profiles too? As an example, on one system user you're testing on may have a SAPALL assigned, thus having authorizations for everything.
    • The authorization object for Z_KONH_KLS, is set on Z*SALES*ADMIN role, there's no other role contains Z_KONH_KLS assigned to the two user IDs except the Z*SALES*ADMIN role.
    • In both servers, the roles have their own names, both function as sales admin role.
      I've checked their profile as well, there's no SAP_ALL profile on both user IDs.
      Perhaps there is other code/syntax to be used in the SAP ERP Central Component 5.0 version of server?

Assigned Tags

Related questions

1 Answer

  • Best Answer
    Posted on Jul 28, 2020 at 03:44 AM

    As Mateusz Adamus suggested about checking roles, I did more thorough checking and found out that the mentioned object has been assigned by other team with different role to the user ID I tested. This different role is the cause why SY-SUBRC always returns 0.

    Add a comment
    10|10000 characters needed characters exceeded