Skip to Content
0

How do I add an authorization object to a SAP standard transaction?

Mar 24, 2017 at 03:11 PM

154

avatar image
Fernando Roman Urquizo Rios

Hello Colleagues,

Wiht TX. su24 I have add Objetc authorization P_ORGIN to standard transaction PC00_M99_CWTR in order to control access by PERSA.

But however it is not working, and when I did trace (ST01) I can see it is checking anothers OA (P) and not P_ORGIN

In spite of in SU24 PC00_M99_CWTR is proposal P_ABAP, P_ORGIN and P_PCLX like active and check indicadtor; in ST01 only show P_ABAP

How can I force to control P_ORGIN instead of P_ABAP

Thank you so much in advance

Best regardse

Fernando

Security
10 |10000 characters needed characters left characters exceeded
Viewable by all users
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Sort by:
Best Answer
avatar image
Jurjen Heeck Answered Mar 25, 2017 at 10:55 AM
1

Hi Fernando,

You can not add checks by simply adding them to SU24 like that. The actual check has to be coded into the program. Talk to a programmer and see if there are usable enhancement points in this program where a P_ORGIN check can be added.

Jurjen

Show 3 Share
10 |10000 characters needed characters left characters exceeded
Viewable by all users
Fernando Roman Urquizo Rios
Mar 27, 2017 at 09:44 AM

Hi Jurjen,

Thank you for your response, I agree with you but in case not standard transaction or Z transaction.

But in this case PC00_M99_CWTR is a standard transaction and I think that should be already implemented in standard code P_ORGIN but in my case it is not.

Is possible, Should I execute any update of transactions code or something ?

Best regards

Fernando

0
Jurjen Heeck
Fernando Roman Urquizo Rios
Mar 27, 2017 at 11:56 AM

Hi Fernando,

The best way to know whether a certain authorization check is present in the software is to run the program with an authorization trace alongside. Even disabled checks will show up in the trace, with RC=0.

I've just tried that and found out that here you are facing a different problem: PC00_M99_CWTR will check P_ORGIN but only if P_ABAP authorizations are not present within the user master record. If the program finds a P_ABAP object with sufficient rights it doesn't look any further.

Best experiment with a test user and a role with only S_TCODE PC00_M99_CWTR and P_ORGIN in it.

Jurjen

0
Fernando Roman Urquizo Rios
Mar 27, 2017 at 02:41 PM

Dear Jurjen,

I had P_ABAP with "*" for this reason P_ORGIN did not worked, you are right, as soon I will configure rol with P_ABAP disable, it call P_ORGIN according my settings.

Thank you so much for your advice

Best regards

Fernando

1
Comment
avatar image
Keith Doyle Answered
Mar 27, 2017 at 08:27 PM
2

Hello Fernando,
Please also consider the value for P_ABAP COARS when assigning the authorizations.

If COARS = 2 is maintained with the REPID (for the report), no further authorization checks are performed for the User on that report.

You can review the documentation for P_ABAP in SU03->HR->Documentation if required.

Regards,
Keith

Share
10 |10000 characters needed characters left characters exceeded
Viewable by all users