Solved: Authority-Check

Former Member · ‎05-31-2005

Hello everyone,

I'm having a problem with the authority-check.

I assign a new role and authorization that I created for user DDIC in MINISAP, and in my program I put the fallowing chunk of code.

AUTHORITY-CHECK OBJECT 'S_CARRID'

ID 'P_CAR' FIELD 'AA'

ID 'ACTVT' FIELD '02'.

IF sy-subrc = 4.

MESSAGE e157(zfidemsg).

User not authorized. Session terminated

ENDIF.

then, in the role I specify, the user will have Display access to the object s_carrid (field carrid) to all the airline carriers, but when in my program I select LH (a carrier) is not allowing me to display the selection. and I only check for AA.

Can someone tell me which is my mistake.

Thanks in advanced,

Fidel

Former Member · ‎05-31-2005

Hi Fidel,

For display you should check with ACTVT equal to '03' not '02'.

'02' is for change.

Cheers,

Brad

Former Member · ‎05-31-2005

Hi Fidel,

For display you should check with ACTVT equal to '03' not '02'.

'02' is for change.

Cheers,

Brad

Former Member · ‎05-31-2005

Hi Fidel,

So, in general its:

01 = Create

02 = Change

03 = Display

This is also followed in transaction does: eg VA01, VA02, VA03 for create,change, display sales orders.

These rules are not fixed but are generally true.

Brad

Former Member · ‎05-31-2005

Thanks guys,

but my problem is that I want to control the particular user when he tried to display the data of AA (only AA).

so he can have access to the other carriers. That is the reason why I put 02 so he can't have access to AA but will have it for LH, AZ etc.

Is that the right way to prevent a user to access AA and have access to the other carriers?

Regards,

Fidel

Former Member · ‎05-31-2005

Hi Fidel,

I would do it like this:


IF w_carid = 'AA'.
  AUTHORITY-CHECK OBJECT 'S_CARRID'
    ID 'P_CAR' FIELD w_carid
    ID 'ACTVT' FIELD '03'.
  IF SY-SUBRC NE 0.
    MESSAGE ...
  ENDIF.
ENDIF.

This is the simplest solution.

Brad

Message was edited by: Brad Williams (added return code check)

Former Member · ‎05-31-2005

I think your current check is not correct as it will only and only allow the cases where carid is 'AA' and ACTVT is 02.

it will be false even if carrid is not 'AA'.

In real time programs this kind of coding is not generally required.

you should do the coding as below.



CASE SY-UCOMM.
  WHEN 'CREA'.
    lv_actvt = '01'.
  WHEN 'EDIT'.
    lv_actvt = '02'.
  WHEN 'DISP'.
    lv_actvt = '03'.
ENDCASE.
lv_current_carid will have the value of current carrid.

AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'P_CAR' FIELD lv_current_carid
ID 'ACTVT' FIELD lv_actvt .
IF sy-subrc <> 0 and .
   MESSAGE e157(zfidemsg).
*  User not authorized. Session terminated
   ENDIF.

ENDIF.

This will ensure that all those who have proper authorizations will be able to create/change / display accordingly.

And it will also ensure that authorizations will be controlled from role assignemnt config and not by changing the program.

And if you are adamant to do this from within your program then



CASE lv_carid.
WHEN 'AA'.
AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'P_CAR' FIELD 'AA'
ID 'ACTVT' FIELD '02'.
IF sy-subrc ne 0.
   MESSAGE e157(zfidemsg).
*  User not authorized. Session terminated
ENDIF.

WHEN others.
AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'P_CAR' FIELD '*'   " or ID 'P_CAR' FIELD lv_carid
ID 'ACTVT' FIELD '03'.
IF sy-subrc ne 0.
   MESSAGE e157(zfidemsg).
*  User not authorized. Session terminated
ENDIF.
ENDCASE.

Thanks,

Ram

Message was edited by: Ram Manohar Tiwari

Former Member · ‎05-31-2005

Thank you Brad and Ram, you guys solved the problem.

Fidel