05-31-2005 4:51 PM
Hello everyone,
I'm having a problem with the authority-check.
I assign a new role and authorization that I created for user DDIC in MINISAP, and in my program I put the fallowing chunk of code.
AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'P_CAR' FIELD 'AA'
ID 'ACTVT' FIELD '02'.
IF sy-subrc = 4.
MESSAGE e157(zfidemsg).
User not authorized. Session terminated
ENDIF.
then, in the role I specify, the user will have Display access to the object s_carrid (field carrid) to all the airline carriers, but when in my program I select LH (a carrier) is not allowing me to display the selection. and I only check for AA.
Can someone tell me which is my mistake.
Thanks in advanced,
Fidel
05-31-2005 4:58 PM
Hi Fidel,
For display you should check with ACTVT equal to '03' not '02'.
'02' is for change.
Cheers,
Brad
05-31-2005 4:58 PM
Hi Fidel,
For display you should check with ACTVT equal to '03' not '02'.
'02' is for change.
Cheers,
Brad
05-31-2005 4:59 PM
Hi Fidel,
So, in general its:
01 = Create
02 = Change
03 = Display
This is also followed in transaction does: eg VA01, VA02, VA03 for create,change, display sales orders.
These rules are not fixed but are generally true.
Brad
05-31-2005 5:10 PM
Thanks guys,
but my problem is that I want to control the particular user when he tried to display the data of AA (only AA).
so he can have access to the other carriers. That is the reason why I put 02 so he can't have access to AA but will have it for LH, AZ etc.
Is that the right way to prevent a user to access AA and have access to the other carriers?
Regards,
Fidel
05-31-2005 5:28 PM
Hi Fidel,
I would do it like this:
IF w_carid = 'AA'.
AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'P_CAR' FIELD w_carid
ID 'ACTVT' FIELD '03'.
IF SY-SUBRC NE 0.
MESSAGE ...
ENDIF.
ENDIF.
This is the simplest solution.
Brad
Message was edited by: Brad Williams (added return code check)
05-31-2005 6:06 PM
I think your current check is not correct as it will only and only allow the cases where carid is 'AA' and ACTVT is 02.
it will be false even if carrid is not 'AA'.
In real time programs this kind of coding is not generally required.
you should do the coding as below.
CASE SY-UCOMM.
WHEN 'CREA'.
lv_actvt = '01'.
WHEN 'EDIT'.
lv_actvt = '02'.
WHEN 'DISP'.
lv_actvt = '03'.
ENDCASE.
lv_current_carid will have the value of current carrid.
AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'P_CAR' FIELD lv_current_carid
ID 'ACTVT' FIELD lv_actvt .
IF sy-subrc <> 0 and .
MESSAGE e157(zfidemsg).
* User not authorized. Session terminated
ENDIF.
ENDIF.
This will ensure that all those who have proper authorizations will be able to create/change / display accordingly.
And it will also ensure that authorizations will be controlled from role assignemnt config and not by changing the program.
And if you are adamant to do this from within your program then
CASE lv_carid.
WHEN 'AA'.
AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'P_CAR' FIELD 'AA'
ID 'ACTVT' FIELD '02'.
IF sy-subrc ne 0.
MESSAGE e157(zfidemsg).
* User not authorized. Session terminated
ENDIF.
WHEN others.
AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'P_CAR' FIELD '*' " or ID 'P_CAR' FIELD lv_carid
ID 'ACTVT' FIELD '03'.
IF sy-subrc ne 0.
MESSAGE e157(zfidemsg).
* User not authorized. Session terminated
ENDIF.
ENDCASE.
Thanks,
Ram
Message was edited by: Ram Manohar Tiwari
Message was edited by: Ram Manohar Tiwari
05-31-2005 7:22 PM