Authority Check base on the Plant in the user ROLE

Former Member · ‎02-08-2008

Hi Gurus,

I would like to have the Authority check for the user based on the plants provided in the Role.

its very urgent please advise.

thanks in advance

Ravi

former_member156446 · ‎02-08-2008

Hi,

usually authorization is not added on for one field in a table. if the user is not authorized to view the total field, then check the authority at the beginnning of the program. If the authority fails do not display the total field, else display the total field. There is no need to add authority check inside the loop.

AUTHORITY-CHECK OBJECT object

ID name1 FIELD f1

ID name2 FIELD f2

...

ID name10 FIELD f10.

Effect

Explanation of IDs:

object

Field which contains the name of the object for which the authorization is to be checked.

name1 ...

Fields which contain the names of the

name10

authorization fields defined in the object.

f1 ...

Fields which contain the values for which the

f10

authorization is to be checked.

AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).

You must specify all authorizations for an object and a also a value for each ID (or DUMMY).

The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.

If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.

If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.

The return code value changes according to the different error scenarios. The return code values have the following meaning:

4

User has no authorization in the SAP System for such an action. If necessary, change the user master record.

8

Too many parameters (fields, values). Maximum allowed is 10.

12

Specified object not maintained in the user master record.

16

No profile entered in the user master record.

24

The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.

28

Incorrect structure for user master record.

32

Incorrect structure for user master record.

36

Incorrect structure for user master record.

If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.

Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.

Note

Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.

The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.

Example

Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:

Table OBJ: Definition of authorization object

M_EINF_WRK

ACTVT

WERKS

Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations

M_EINF_WRK_BERECH1

ACTVT 01-03

WERKS 0001-0003 .

can display and change plants within the Purchasing and Materials Management areas.

Such a user would thus pass the checks

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' FIELD '0002'

ID 'ACTVT' FIELD '02'.

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' DUMMY

ID 'ACTVT' FIELD '01':

but would fail the check

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' FIELD '0005'

ID 'ACTVT' FIELD '04'.

To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK.

Former Member · ‎02-09-2008

Hi Gurus,

Actually my requierment is to have a authority check at plant level for a custom report.

the report is common for all the plants, but i want to restrict the user of 100 plant not to see the datas of 200 or 300.

[ what ever plants the user is authorised he must be able to run the report for that plant only ].

if i hardcode the values of plant in the program, and later if the same user is to be given access for some more plants i feel it will be difficult to change the coding each time.

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' FIELD '0002'

ID 'ACTVT' FIELD '02'.

i dont have the idea of accessing the above code dinamically based on the ROLE.

i requier the Authority to be checked against the values in the Role were the fuctional gui specifies the values of the Plant. and assigns it to the pirticular user.

its very urgent Please advise.

Regards

Ravi

Edited by: RAVI CHANDRAN on Feb 11, 2008 6:54 AM

Former Member · ‎02-11-2008

Hi,

You can try it in below ways:

1. If Plant is parameter or selection-screen.

> Validate the plants as per input in selection screen with table T001w

2. If Plant is not in selection

> Get list of all plants as in definition

With the list of all valid plants by above two mechanisms proceed as below:

> For each valid plant check the authorization object

> Collect all plants into a RANGE for which the authorization exists.

> Use this range for further processing.

Regards

Eswar

Former Member · ‎02-11-2008

Hello Eswar,

Thank you for your Reply.

T001w will contain list of all plants, how can i relate this with the plant specified in the Role.

i have the plant in the selection screen.

can you give me some example code.

Regards

Ravi

Former Member · ‎02-11-2008

Try as below:


TABLES: t001w.
SELECT-OPTIONS: s_werks FOR t001w-werks.

TYPES: BEGIN OF ty_plant,
         werks TYPE werks_d,
       END OF ty_plant.

DATA: i_plant TYPE TABLE OF ty_plant,
      wa_plant TYPE ty_plant.

RANGES: r_plant FOR t001w-werks.

AT SELECTION-SCREEN.

  SELECT werks INTO TABLE i_plant
         FROM t001w
         WHERE werks IN s_werks.
  CHECK sy-subrc EQ 0.
  r_plant-sign = 'I'.
  r_plant-option = 'EQ'.
  LOOP AT i_plant INTO wa_plant.
    AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
      ID 'WERKS' FIELD wa_plant-werks
      ID 'ACTVT' FIELD '02'.
    IF sy-subrc EQ 0.
      r_plant-low = wa_plant-werks.
      APPEND r_plant.
    ENDIF.
  ENDLOOP.

START-OF-SELECTION.

  SELECT <fld>....
    INTO <itab>
    FROM <table>
    WHERE werks IN r_werks
    AND ...

Regards

Eswar

Former Member · ‎02-11-2008

Hi Gurus,

My Functional Guy has created a roles in which he has specified plants.

example.

Role 1 -

> plants 1000 to 1300.

Role 2 -

> plants 1300 to 1500.

and so on.

requests the basis to assign Role1 to user A.

assign Role 2 to user B.

I have writen a Yreport which gives some details about the Plant.

When user A runs the report it must allow him run it only for Plant 1000 to 1300.

similarly when user B runs the same report it must alow him run only for the plant 1300 to 1500.

if User A trys to execute the report for other plants. it must through error message as not authorised to run for plant---.

tomorrow if the functional consultant wishes to provide authorisation for the user A to execute the report for plant 1000 to 1500. simply he will request the basis to assign the Role2 to user A.

Hope you can understand my situation.

my Requierment is to have a authority check against the Plant provided in the Role of the user.

Please Advise, its very urgent

Points Will be rewarded for all usefull replys

Regards

Ravi