07-06-2010 4:35 AM
Hi guys,
Does anyone know whether every BAPI have authoriyt check? I read some BAPI's documents,and I found that some documents don't explain BAPI check which authority object.Dose that mean this BAPI don't have anthority check?
thanks all.
Best regards.
07-06-2010 7:07 AM
Hi,
Every Standard BAPI is equipped with Authority Check Function.You should possess sufficient authorizations to execute BAPI
Regards,
Lakshman.
07-06-2010 7:01 AM
Yes.There is authority check for every BAPI.BAPI will be posted if you user has authorization for the transaction otherwise it will not be posted.
07-06-2010 7:07 AM
Hi,
Every Standard BAPI is equipped with Authority Check Function.You should possess sufficient authorizations to execute BAPI
Regards,
Lakshman.
07-06-2010 9:13 AM
07-06-2010 10:15 AM
Small caveat to contradict the answers so far given, because the correct statement is not every BAPI contains an authorization check, though almost all of them should...
My simple counter examples are BAPI_MATERIAL_EXISTENCECHECK and BAPI_MATERIALGROUP_GET_LIST. Now of course they are rather trivial BAPIs, but it clearly shows that not all BAPI's have a builtin authorization check. Note that I'm talking here about authorization checks in ABAP coding via [authority-check|http://help.sap.com/abapdocu_70/en/ABAPAUTHORITY-CHECK.htm]. The story is a bit different if you'd call those BAPI's via [RFC|http://help.sap.com/abapdocu_70/en/ABENRFC_INTRO_OVIEW.htm], because SAP has builtin authorization checks on function group and since fairly recently also on function module name (see authorization object [S_RFC|http://help.sap.com/saphelp_nw70/helpdata/en/60/305140c770cd01e10000000a155106/frameset.htm]).
If you look at any BAPI returning/creating/updating a more complex object you should expect that SAP does some application authorization check. This is especially true for BAPI's that are supposed to mimic any transaction like VA01, etc. However, if you require such a check in a specific situation I'd say it usually doesn't hurt to take a quick peek at the used BAPI to confirm it (and if the BAPI is complex just execute it with an <em>authorization trace</em>).
I apologize for nitpicking, but I couldn't resist since the statements where a bit too broad in my opinion...
Cheers, harald