Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AUTHORITY-CHECK always Return sy-subrc 0

Former Member

‎04-06-2011 7:42 AM

0 Kudos

Hi,

I have created a Authorization Object 'ZAUTH_ATCH' and created Roles also. This role is assigned to only my Userid.

When in Report program I do a check:

AUTHORITY-CHECK OBJECT 'ZAUTH_ATCH'

ID 'USER' FIELD l_syuname .

But the AUTHORITY-CHECK return 0 for all User IDs.

Pls help what could be the Issue.

Thanks

Mohammed

12 REPLIES 12

ThomasZloch
Active Contributor

‎04-06-2011 9:06 AM

0 Kudos

So does l_syuname contain any value when going into the check?

Anyway, I think it does not make sense to create an authorisation object with the user name as parameter. You are creating roles containing user names and assign them to the same users. I'm not a security expert, but this sounds totally pointless to me.

What is your rationale to create such an object?

Thomas

Former Member
In response to ThomasZloch

‎04-06-2011 9:16 AM

0 Kudos

Thanks for you rreply.

I need to give only authorised users to execute the report program.

So created auth object for USER and created role also. So this role is asigned to users who will be authorised.

Pls help if any other way to do this

Thanks

ThomasZloch
Active Contributor
In response to ThomasZloch

‎04-06-2011 9:29 AM

0 Kudos

Wrong design, rather use the authorization group in program attributes in conjunction with standard S_PROGRAM object, please search for more information using this keyword.

Thomas

SuhaSaha
Advisor
Advisor
In response to ThomasZloch

‎04-06-2011 9:33 AM

0 Kudos

> 

> I need to give only authorised users to execute the report program.

Hello,

In that case i would rather use the std. Auth Obj S_PROGRAM & not create a custom object. You can get more info on this object in SU21 trxn.

BR,

Suhas

former_member195402
Active Contributor

‎04-06-2011 10:03 AM

0 Kudos

Hi Mohammed,

it depends on the complexity of your authority management in your company.

"S_PROGRAM" is the small business solution and can be used in simple authority management. In our company group it would not be allowed to use that for a new program for a few users to use it.

If there are hundreds of roles which must be worked it's the only way to create an custom authority object with check of the activity (field ACTVT).

To all users who should be able to run this program a new role must be assigned with this activity. Use for example activity "01" if you create something or '02' if you change something or '03' for displaying data.

This can be used for a group of associated programs!

Regards,

Klaus

Edited by: Klaus Babl on Apr 6, 2011 11:07 AM

ThomasZloch
Active Contributor
In response to former_member195402

‎04-06-2011 10:50 AM

0 Kudos

I don't understand the "small business" part. I did not say that S_PROGRAM should be the only protection, inside the code there could and should be any additional relevant checks, based on whatever the program does.

OP wants to protect ABAP program execution, at least that's what he revealed so far. S_PROGRAM is the standard object for this purpose. My approach is to use the standard as much as possible and only introduce customer objects when absolutely necessary.

Thomas

Former Member
In response to former_member195402

‎04-06-2011 11:01 AM

0 Kudos

Hi thomas

Thanks

Can you explain me in detail..How can i use this S_PROGRAm.

Do I need to create a Role for this an dassign values as 01 02 & 03?

Then how will the USer will be restricted to execute only say 03?

former_member195402
Active Contributor
In response to former_member195402

‎04-06-2011 11:13 AM

0 Kudos

Sorry Thomas,

maybe it's a problem of my english vocabulary (I'm out of school for over 30 years).

small business - small enterprises - small companies

I wanted to point out, that the usage of the SAP standard authority objects is problematical in big companies which have tons of roles on S_PROGRAM.

In my company authority administration decided that it is to expensive changing S_PROGRAM authorities. It spends too much time and costs, therefore I had to create new Z authority objects with activity fields, for there they have only to create one new role and pass it to the users who need the new authority instead of changing several roles.

ThomasZloch
Active Contributor
In response to former_member195402

‎04-06-2011 11:59 AM

0 Kudos

Thanks for the clarification, Klaus. I got the "small" part correctly, only wanted to understand the reasoning behind not using the standard objects, also for others to read so that no wrong conclusions are being drawn. I'm currently working for a "mid size" company, and S_PROGRAM works quite well (so far).

Thomas

Former Member

‎04-06-2011 10:42 AM

0 Kudos

Hi,

May be you would need to change the auth object and add the following two fields:

REPID ABAP Program Name

ACTVT Activity

allowed values for ACTVT :

01 Create or generate

02 Change

03 Display

16 Execute

In the code you can check

AUTHORITY-CHECK OBJECT   "OBJECT_NAME"
                      ID   'ACTVT'  FIELD '16'.
                      ID   'REPID'  FIELD sy-cprog.

Hope it helps.

Anju

Former Member
In response to Former Member

‎04-06-2011 11:06 AM

0 Kudos

Hi Anju,

Thanks fo ryou reply.

do I need to assign this Auth Obj to a Role ?

How will we know that the user has Execute option

Former Member
In response to Former Member

‎04-06-2011 11:09 AM

0 Kudos

yes you would have to add the object to a role and assign the values

REPID: program name

ACTVT: 16

Anju