Skip to Content

How I find out which field in AUTHORITY-CHECK failed

Hello Community,

I have an authority object N_1PDS_DCM with several fields:

        AUTHORITY-CHECK OBJECT 'N_1PDS_DCM'
                 ID 'ACTVT'     FIELD '01'
                 ID 'N_EINRI'   FIELD '0104'
                 ID 'N_2MITARB' FIELD 'MAX'
                 ID 'N_2ORGDO'  FIELD 'CHIR'
                 ID 'N_2KAT'    FIELD 'CATEGORY'
                 ID 'N_2BRGR'   FIELD 'DOCT'.

With the sy-subrc I only get information that the user is not authorized and I can only show a message like "no authority to create anything". But what I need is to get information which field(s) actually fail(s). Because I would like to show the user a more detailed message with information where the lack of authorisation is, i.e. for CHIR (ID N_2ORGDO, organizational unit). Then the user couldchange the organizational unit and proceed forward.

Does anybody know a solution to get the field which failed by an authority-check, in order to create a more detailed message for the user?

Kind regards,
Andreas

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Sep 27, 2017 at 06:02 PM

    Not so easy, you'll have to do everything by yourself.

    The authorization check is based on the combination of fields. One authorization may be OK for fields 1, 2, 3, 4, 5 and KO for 6, another one may be OK for fields 1, 2, 3, 4, 6 and KO for 5. Which authorization should you consider?

    Moreover, I wonder whether it can be seen as a security breach to give this information (it should be reserved to very specific authorization objects).

    Anyway, if you want to read the current authorizations of a user, you need to get the roles/profiles of the user (table UST04), then get the authorizations (UST10S), and then the authorization values (UST12).

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 05, 2017 at 07:34 PM

    I can't find this object in our system but just as an "out of the box" option: if parameters allow, you could try splitting this into multiple checks. I.e. at first, check the top 1-2 parameters (leave the rest blank or '*'), then do another check with adding more and more parameters. Not great but at least it'll give you an option to issue a meaningful error message.

    Add comment
    10|10000 characters needed characters exceeded