02-08-2008 5:29 AM
Hi Gurus,
I would like to have the Authority check for the user based on the plants provided in the Role.
its very urgent please advise.
thanks in advance
Ravi
02-08-2008 5:31 AM
Hi,
usually authorization is not added on for one field in a table. if the user is not authorized to view the total field, then check the authority at the beginnning of the program. If the authority fails do not display the total field, else display the total field. There is no need to add authority check inside the loop.
AUTHORITY-CHECK OBJECT object
ID name1 FIELD f1
ID name2 FIELD f2
...
ID name10 FIELD f10.
Effect
Explanation of IDs:
object
Field which contains the name of the object for which the authorization is to be checked.
name1 ...
Fields which contain the names of the
name10
authorization fields defined in the object.
f1 ...
Fields which contain the values for which the
f10
authorization is to be checked.
AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).
You must specify all authorizations for an object and a also a value for each ID (or DUMMY).
The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.
If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.
If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.
The return code value changes according to the different error scenarios. The return code values have the following meaning:
4
User has no authorization in the SAP System for such an action. If necessary, change the user master record.
8
Too many parameters (fields, values). Maximum allowed is 10.
12
Specified object not maintained in the user master record.
16
No profile entered in the user master record.
24
The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
28
Incorrect structure for user master record.
32
Incorrect structure for user master record.
36
Incorrect structure for user master record.
If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.
Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.
Note
Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.
The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.
Example
Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:
Table OBJ: Definition of authorization object
M_EINF_WRK
ACTVT
WERKS
Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations
M_EINF_WRK_BERECH1
ACTVT 01-03
WERKS 0001-0003 .
can display and change plants within the Purchasing and Materials Management areas.
Such a user would thus pass the checks
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0002'
ID 'ACTVT' FIELD '02'.
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' DUMMY
ID 'ACTVT' FIELD '01':
but would fail the check
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0005'
ID 'ACTVT' FIELD '04'.
To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK.
02-09-2008 4:55 AM
Hi Gurus,
Actually my requierment is to have a authority check at plant level for a custom report.
the report is common for all the plants, but i want to restrict the user of 100 plant not to see the datas of 200 or 300.
[ what ever plants the user is authorised he must be able to run the report for that plant only ].
if i hardcode the values of plant in the program, and later if the same user is to be given access for some more plants i feel it will be difficult to change the coding each time.
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0002'
ID 'ACTVT' FIELD '02'.
i dont have the idea of accessing the above code dinamically based on the ROLE.
i requier the Authority to be checked against the values in the Role were the fuctional gui specifies the values of the Plant. and assigns it to the pirticular user.
its very urgent Please advise.
Regards
Ravi
Edited by: RAVI CHANDRAN on Feb 11, 2008 6:54 AM
02-11-2008 6:15 AM
Hi,
You can try it in below ways:
1. If Plant is parameter or selection-screen.
> Validate the plants as per input in selection screen with table T001w
2. If Plant is not in selection
> Get list of all plants as in definition
With the list of all valid plants by above two mechanisms proceed as below:
> For each valid plant check the authorization object
> Collect all plants into a RANGE for which the authorization exists.
> Use this range for further processing.
Regards
Eswar
02-11-2008 6:28 AM
Hello Eswar,
Thank you for your Reply.
T001w will contain list of all plants, how can i relate this with the plant specified in the Role.
i have the plant in the selection screen.
can you give me some example code.
Regards
Ravi
02-11-2008 6:37 AM
Try as below:
TABLES: t001w.
SELECT-OPTIONS: s_werks FOR t001w-werks.
TYPES: BEGIN OF ty_plant,
werks TYPE werks_d,
END OF ty_plant.
DATA: i_plant TYPE TABLE OF ty_plant,
wa_plant TYPE ty_plant.
RANGES: r_plant FOR t001w-werks.
AT SELECTION-SCREEN.
SELECT werks INTO TABLE i_plant
FROM t001w
WHERE werks IN s_werks.
CHECK sy-subrc EQ 0.
r_plant-sign = 'I'.
r_plant-option = 'EQ'.
LOOP AT i_plant INTO wa_plant.
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD wa_plant-werks
ID 'ACTVT' FIELD '02'.
IF sy-subrc EQ 0.
r_plant-low = wa_plant-werks.
APPEND r_plant.
ENDIF.
ENDLOOP.
START-OF-SELECTION.
SELECT <fld>....
INTO <itab>
FROM <table>
WHERE werks IN r_werks
AND ...
Regards
Eswar
02-11-2008 8:08 AM
Hi Gurus,
My Functional Guy has created a roles in which he has specified plants.
example.
Role 1 -
> plants 1000 to 1300.
Role 2 -
> plants 1300 to 1500.
and so on.
requests the basis to assign Role1 to user A.
assign Role 2 to user B.
I have writen a Yreport which gives some details about the Plant.
When user A runs the report it must allow him run it only for Plant 1000 to 1300.
similarly when user B runs the same report it must alow him run only for the plant 1300 to 1500.
if User A trys to execute the report for other plants. it must through error message as not authorised to run for plant---.
tomorrow if the functional consultant wishes to provide authorisation for the user A to execute the report for plant 1000 to 1500. simply he will request the basis to assign the Role2 to user A.
Hope you can understand my situation.
my Requierment is to have a authority check against the Plant provided in the Role of the user.
Please Advise, its very urgent
Points Will be rewarded for all usefull replys
Regards
Ravi