Skip to Content
0

How to skip authorization check for FB03/MIR4

Nov 07, 2017 at 06:14 AM

64

avatar image

Hi Experts,

I have developed a custom Web Dynpro Report in which there is provision for displaying document (FB03 and MIR4) on click of a button on selecting corresponding record in the ALV.

Below code is used to generate the URL for the doc and then displaying using external window.

Now the requirement is to give default display rights to all users (To view FB03 and MIR4) who is using this report even if they don't have authorization to that.

Is their any trick to override the authority check ?

Awaiting your valuable response.

Thanks,

Manoj

untitled.png (16.7 kB)
10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Mike Pokraka Nov 07, 2017 at 07:22 PM
1

I will try to say this as nicely as I can: That's a really really really really bad solution.

- On technical level it's a very long winded way to just give everyone read access to everything, because
- you're giving everyone access to every document, therefore
- you might as well give everyone read everything authorisation for FB03 and MIR4

Find out what people need to see and build a component to show it to them. With proper authorisation checks.

Show 3 Share
10 |10000 characters needed characters left characters exceeded

Hi Mike,

Required to do this without changing anything at authorization or role level.

I am trying the same thing what you suggested.

Creating a Web Dynpro component with the required information of the document to be shown to the user :-(

Thanks,

Manoj

0

Why the :-( ..?

To me that sounds like an easier solution than to mess around with URLs and custom hacks to break SAP's authorization checks. In the UK and probably most EU countries your company could be hauled up for data protection violations for making any financial document accessible to anyone via a simple URL. And it's definitely quicker to implement and can be nicer for the users (depending on exact needs).

0

Because I thought it can be done with some coding trick. But now i have to develop full screen with all the required information to be shown to user.

I agree on violating authorization checks. That, we will handle with appropriate reason to auditor. But user wants to see.

Thanks,

Manoj

0
avatar image
Former Member Nov 08, 2017 at 08:20 AM
0

Hi,

I am agree with Mike, it's a bad idea.

For your information, most of the time, in SAP context, the CALL TRANSACTION '...' did not check the authorization to call the transaction.

But, the problem is not the transaction but all the objects behind the transaction. Have a look to all the object that could be checked during the FB03 or MIR4 using the transaction SU24.

If you are using a WebDynpro program, you could create a node in the SICF with a dedicated user/passwd. This node will call the transaction FB03 or MIR4 and return the result.

Ask your developper if he could do that

regards

Fred

Show 2 Share
10 |10000 characters needed characters left characters exceeded

Hi Fred,

I am the developer. I have not done any node creation before.

If you can explain SICF node creation solution in detail, it will help me in implementing.

Thanks,

Manoj

0
Former Member

Hi Manoj,

the part for your webdynpro you have developed to display the MIR4 or the FB03, you have to create a dedicated webdynpro for it.

Each time you create a webdynpro, SAP create itself a node in the SICF transaction (you could find them using the filter in the first screen). In the SICF node you could change several things, like the error page, the default language, .. and you could set a username & password (like for RFC SM59)

So your user, will connect to the system, start the first webdynpro, this webdynpro will call the webdynpro MIR4/FB03 and in this webdynpro, the user used by SAP will be another user with the good authorization.

We used the same logic to create webdynpro page to reset password.

good luck

Fred

0