cancel
Showing results for 
Search instead for 
Did you mean: 

How to skip authorization check for FB03/MIR4

MKM
Active Participant
0 Kudos

Hi Experts,

I have developed a custom Web Dynpro Report in which there is provision for displaying document (FB03 and MIR4) on click of a button on selecting corresponding record in the ALV.

Below code is used to generate the URL for the doc and then displaying using external window.

Now the requirement is to give default display rights to all users (To view FB03 and MIR4) who is using this report even if they don't have authorization to that.

Is their any trick to override the authority check ?

Awaiting your valuable response.

Thanks,

Manoj

Accepted Solutions (0)

Answers (2)

Answers (2)

pokrakam
Active Contributor

I will try to say this as nicely as I can: That's a really really really really bad solution.

- On technical level it's a very long winded way to just give everyone read access to everything, because
- you're giving everyone access to every document, therefore
- you might as well give everyone read everything authorisation for FB03 and MIR4

Find out what people need to see and build a component to show it to them. With proper authorisation checks.

MKM
Active Participant
0 Kudos

Hi Mike,

Required to do this without changing anything at authorization or role level.

I am trying the same thing what you suggested.

Creating a Web Dynpro component with the required information of the document to be shown to the user 😞

Thanks,

Manoj

pokrakam
Active Contributor
0 Kudos

Why the 😞 ..?

To me that sounds like an easier solution than to mess around with URLs and custom hacks to break SAP's authorization checks. In the UK and probably most EU countries your company could be hauled up for data protection violations for making any financial document accessible to anyone via a simple URL. And it's definitely quicker to implement and can be nicer for the users (depending on exact needs).

MKM
Active Participant
0 Kudos

Because I thought it can be done with some coding trick. But now i have to develop full screen with all the required information to be shown to user.

I agree on violating authorization checks. That, we will handle with appropriate reason to auditor. But user wants to see.

Thanks,

Manoj

FredericGirod
Active Contributor
0 Kudos

Hi,

I am agree with Mike, it's a bad idea.

For your information, most of the time, in SAP context, the CALL TRANSACTION '...' did not check the authorization to call the transaction.

But, the problem is not the transaction but all the objects behind the transaction. Have a look to all the object that could be checked during the FB03 or MIR4 using the transaction SU24.

If you are using a WebDynpro program, you could create a node in the SICF with a dedicated user/passwd. This node will call the transaction FB03 or MIR4 and return the result.

Ask your developper if he could do that

regards

Fred

MKM
Active Participant
0 Kudos

Hi Fred,

I am the developer. I have not done any node creation before.

If you can explain SICF node creation solution in detail, it will help me in implementing.

Thanks,

Manoj

FredericGirod
Active Contributor
0 Kudos

Hi Manoj,

the part for your webdynpro you have developed to display the MIR4 or the FB03, you have to create a dedicated webdynpro for it.

Each time you create a webdynpro, SAP create itself a node in the SICF transaction (you could find them using the filter in the first screen). In the SICF node you could change several things, like the error page, the default language, .. and you could set a username & password (like for RFC SM59)

So your user, will connect to the system, start the first webdynpro, this webdynpro will call the webdynpro MIR4/FB03 and in this webdynpro, the user used by SAP will be another user with the good authorization.

We used the same logic to create webdynpro page to reset password.

good luck

Fred