Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Add Authorization field to Authorization Object (BTRTL to P_ORGIN)

Former Member
0 Kudos

Hi,

Could anybody please let me know the steps to add authorization field to an authorization object.

I want to add authorization field (BTRTL) to authorization object (P_ORGIN).

Please suggest..

Thanks is advance!

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hi Swetha

P_ORGIN is a standard SAP auth. object, you cannot modify it. You can create a custom auth. object and then add this new field to it. We have done similar approach for the same auth. object. So in your role assignments you can use this auth. object instead of the previous standard object.

Hope this helps !

Regards

Ranganath

10 REPLIES 10

Former Member
0 Kudos

Authorization object can be edited i.e fileds can be added or deleted using the Transaactions SU21 and Su22 provided user has authorizations to do so.

Kind Regards,

khader.

Former Member
0 Kudos

Hi Swetha

P_ORGIN is a standard SAP auth. object, you cannot modify it. You can create a custom auth. object and then add this new field to it. We have done similar approach for the same auth. object. So in your role assignments you can use this auth. object instead of the previous standard object.

Hope this helps !

Regards

Ranganath

0 Kudos

Hi Ranganath,

As you have mentioned that you have done similar approach for the same authorization object, Could you please let me know the steps to create a custom authorization object and assign fields to that.

Thanks in advance!

0 Kudos

Hi Swetha

You can create the authority object through tcode SU21. Create a new auth. objec give all the remaining fields as per P_ORGIN to you new one and then add one more to handle for BTRTL. But more importantly please make sure your new auth. object will be used in role assignment for this HR structural authorizations.

Regards

Ranganath

PS : Reward points if found useful !

0 Kudos

Hi Ranganath,

I might sound funny..I have a small doubt here. I am new to authorizations.

As per your response, you have mentioned something about structural authorizations. I just wanted to know if this comes under the same. We were trying not to get into structural authorization by adding this new field to object and give t-code(PA30) access to particular roles. Please guide..

0 Kudos

Hi Swetha

P_ORGIN does the structural authorizations. Even if you add this field in your auth. object still it will do the structural authorizations, may be something like what you might seen in PA30. Can you let me the exact purpose, generally everyone prefers having structural authorizations as this make authorization simpler which is otherwise complex in HR.

Regards

Ranganath

PS : Reward points if found useful !

0 Kudos

Hi Ranganath,

I truly appreciate your help! The scenario is like this.

We have different departments. for eg: Quality Department. If Quality Manager has been given a t-code access, here he should be able to view information pertaining to only employees in quality dept but not other departments. Now he is able to view all other employees details.

So here, we need to restrict the view to only his department. Here I have given Tcode access (APPCREATE and APPSEARCH) and I want to restrict his view to only his department employees. Please suggest as to how to go about it.

Thanks!

0 Kudos

Hi Swetha

I can see that the case mentioned is some thing which needs structural authorizations. If the departments in your org. structure is maintained as Personnel areas then you can use the existing P_ORGIN itself... But if you departments are maintained as Personnel Sub area then you have add BTRTL to your std. auth, object and do the necessary checks.

Other option i can think of for you is,

If the PA30 is working the way you want then you can try to do auth. check similar to that. PA30 does the auth. check using the class "if_ex_hrpad00auth_check" and method which does this is "check_authorization".

Regards

Ranganath

Former Member
0 Kudos

Hi

hope it will help you.

reward if help.

In general different users will be given different authorizations based on their role in the orgn.

We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.

USe SUIM and SU21 T codes for this.

Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.

If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.

This means you have to allocate an authorization object in the definition of the transaction.

For example:

program an AUTHORITY-CHECK.

AUTHORITY-CHECK OBJECT <authorization object>

ID <authority field 1> FIELD <field value 1>.

ID <authority field 2> FIELD <field value 2>.

...

ID <authority-field n> FIELD <field value n>.

The OBJECT parameter specifies the authorization object.

The ID parameter specifies an authorization field (in the authorization object).

The FIELD parameter specifies a value for the authorization field.

The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.

http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm

To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.

Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.

You program the authorization check using the ABAP statement AUTHORITY-CHECK.

AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'

ID 'ACTVT' FIELD '02'

ID 'CUSTTYPE' FIELD 'B'.

IF SY-SUBRC <> 0.

MESSAGE E...

ENDIF.

'S_TRVL_BKS' is a auth. object

ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.

The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.

This Authorization concept is somewhat linked with BASIS people.

As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.

Take the help of the basis Guy and create and use.

Sy-SUBRC values

4 User has no authorization in the SAP System for

such an action. If necessary, change the user

master record.

8 Too many parameters (fields, values). Maximum

allowed is 10.

12 Specified object not maintained in the user

master record.

16 No profile entered in the user master record.

24 The field names of the check call do not match

those of an authorization. Either the

authorization or the call is incorrect.

28 Incorrect structure for user master record.

32 Incorrect structure for user master record.

36 Incorrect structure for user master record.

0 Kudos

Hi Deepankar,

Thats a quick response! Thanks a lot! I will go through it.