Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authority-Check concept

Go to solution
Former Member

‎05-21-2008 5:05 AM

0 Kudos

hi,

i m unable to get the concept behind an AUTHORITY-CHECK.

when i create an authority object for some fields in a table, i am actually checking whether the particular user has permissions/rights to perform a particular action over that field in the table. correct?

why do we then need authority checks? can i not just perform the action, check SY-SUBRC field to see whether that action was performed successfully?

thanks

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎05-21-2008 5:29 AM

0 Kudos

Hi Adarsh,

There is huge difference between sy-subrc and authority check.

Sy-subrc lets you know either you have performed an action properly or not.

Authority-check will help to find a user has authorization to perform an action or not.

Hope this clears you.

Thanks,

Arun

8 REPLIES 8

Go to solution
Former Member

‎05-21-2008 5:07 AM

0 Kudos

Hi,

AUTHORITY-CHECK

Basic form

AUTHORITY-CHECK OBJECT object

ID name1 FIELD f1

ID name2 FIELD f2

...

ID name10 FIELD f10.

Effect

Explanation of IDs:

object Field which contains the name of the object for which the authorization is to be checked.

name1 ... Fields which contain the names of the name10 authorization fields defined in the object.

f1 ... Fields which contain the values for which the f10 authorization is to be checked.

AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).

You must specify all authorizations for an object and a also a value for each ID (or DUMMY ).

The system checks the values for the ID s by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.

If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.

If the return code SY-SUBRC = 0, the user has the required authorization and may continue.

The return code is modified to suit the different error scenarios. The return code values have the following meaning:

4 User has no authorization in the SAP System for such an action. If necessary, change the user master record.

8 Too many parameters (fields, values). Maximum allowed is 10.

12 Specified object not maintained in the user master record.

16 No profile entered in the user master record.

24 The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.

28 Incorrect structure for user master record.

32 Incorrect structure for user master record.

36 Incorrect structure for user master record.

If the return code value is 8 or possibly 24, inform the person responsible for the program. If the return code value is 4, 12, 15 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP, since authorizations have probably been destroyed.

Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.

Note

Instead of ID name FIELD f , you can also write ID name DUMMY . This means that no check is performed for the field concerned.

The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.

Example

Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:

Table OBJ : Definition of authorization object

M_EINF_WRK

ACTVT

WERKS

Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations

M_EINF_WRK_BERECH1

ACTVT 01-03

WERKS 0001-0003 .

can display and change plants within the Purchasing and Materials Management areas.

Such a user would thus pass the checks

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' FIELD '0002'

ID 'ACTVT' FIELD '02'.

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' DUMMY

ID 'ACTVT' FIELD '01':

but would fail the check

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' FIELD '0005'

ID 'ACTVT' FIELD '04'.

To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK .

Go to solution
Former Member

‎05-21-2008 5:29 AM

0 Kudos

Hi Adarsh,

There is huge difference between sy-subrc and authority check.

Sy-subrc lets you know either you have performed an action properly or not.

Authority-check will help to find a user has authorization to perform an action or not.

Hope this clears you.

Thanks,

Arun

Go to solution
Former Member
In response to Former Member

‎05-21-2008 5:46 AM

0 Kudos

hi,

thanks for your speedy reply.

i want a clarification on that..

normally, we would perform an authority check, check sy-subrc to see if the check passed and then perform the action on the table/field.

instead is it not possible to first perform the action on the field/table, check the value of sy-subrc to see if the action performed successfully or not? if performed successfully, we continue with the program else we dont.

i dont see the need for an authority-check. am just starting with abap so bear with me if my question seems way too basic or silly.

thanks.

Go to solution
Former Member
In response to Former Member

‎05-21-2008 5:54 AM

0 Kudos

Hi Adarsh,

We will use AUTHORITY-CHECK for just in case if the user is supposed to perform that action or not.

By default SAP will allow all the users to perform all the task. We have to use auth. check to prevent user from performing the action.

Hope this clears you.

Thanks,

Arun

Go to solution
Former Member
In response to Former Member

‎05-21-2008 6:06 AM

0 Kudos

hi,

ok, i think i get it now. so, if an authority check isnt performed any user can change anything.

then the authoriy object which we(programmer) create checks the permissions against what? who decides those?

thanks

Go to solution
Former Member
In response to Former Member

‎05-21-2008 6:10 AM

0 Kudos

hi,

in other words, can we say that an authority-check is an artificial security device imposed by the developer/programmer on the user? just so that he doesnt mess up the system.

thanks.

Go to solution
Former Member
In response to Former Member

‎05-21-2008 6:21 AM

0 Kudos

Kind of yes.

Internally SAP also uses the same concept to check whether an user has authorization to perform certain task.

For example, some user might not have authorization to execute the transaction SU01. Here SAP check the authorization object S_TCODE and the T code value to check the user has the particular authorization.

Sometimes the SAP authorization might not be sufficient so we are also using the same funda to create some custom authorization.

Hope this helps you.

Thanks,

Arun

Go to solution
Former Member
In response to Former Member

‎05-21-2008 6:59 AM

0 Kudos

yeah, it helps a lot.. thanks a ton..

adarsh