Skip to Content
0

How I find out which field in AUTHORITY-CHECK failed

Sep 27, 2017 at 05:54 PM

53

avatar image

Hello Community,

I have an authority object N_1PDS_DCM with several fields:

        AUTHORITY-CHECK OBJECT 'N_1PDS_DCM'
                 ID 'ACTVT'     FIELD '01'
                 ID 'N_EINRI'   FIELD '0104'
                 ID 'N_2MITARB' FIELD 'MAX'
                 ID 'N_2ORGDO'  FIELD 'CHIR'
                 ID 'N_2KAT'    FIELD 'CATEGORY'
                 ID 'N_2BRGR'   FIELD 'DOCT'.

With the sy-subrc I only get information that the user is not authorized and I can only show a message like "no authority to create anything". But what I need is to get information which field(s) actually fail(s). Because I would like to show the user a more detailed message with information where the lack of authorisation is, i.e. for CHIR (ID N_2ORGDO, organizational unit). Then the user couldchange the organizational unit and proceed forward.

Does anybody know a solution to get the field which failed by an authority-check, in order to create a more detailed message for the user?

Kind regards,
Andreas

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Sandra Rossi Sep 27, 2017 at 06:02 PM
0

Not so easy, you'll have to do everything by yourself.

The authorization check is based on the combination of fields. One authorization may be OK for fields 1, 2, 3, 4, 5 and KO for 6, another one may be OK for fields 1, 2, 3, 4, 6 and KO for 5. Which authorization should you consider?

Moreover, I wonder whether it can be seen as a security breach to give this information (it should be reserved to very specific authorization objects).

Anyway, if you want to read the current authorizations of a user, you need to get the roles/profiles of the user (table UST04), then get the authorizations (UST10S), and then the authorization values (UST12).

Share
10 |10000 characters needed characters left characters exceeded
Jelena Perfiljeva
Oct 05, 2017 at 07:34 PM
0

I can't find this object in our system but just as an "out of the box" option: if parameters allow, you could try splitting this into multiple checks. I.e. at first, check the top 1-2 parameters (leave the rest blank or '*'), then do another check with adding more and more parameters. Not great but at least it'll give you an option to issue a meaningful error message.

Share
10 |10000 characters needed characters left characters exceeded