Solved: Authorisation object Clarifications

Former Member · ‎03-18-2010

Hi Friends ,

I have a requirement like there is a custom pushbutton in the screen and when a user clicks the button the code has to check whether the user belongs to Customer Service user group or not . If so then proceed with coding else sent a message.

I understand that the user can be checked using Authorization object , hence created one Authorization object and also coded the program

AUTHORITY-CHECK OBJECT 'Z_CUS_SERV'

ID 'ACTVT' FIELD '02'

ID 'ZUSRGRP' FIELD lv_cust_serv.

Question - Is it right that the parameter lv_cust_serv should have the value 'Customer Service'? or the New role name or the profile name ?

I'm confused , could anyone suggest me ..which is right way to approach this ?

Many thanks ,

Kumaran

Former Member · ‎03-18-2010

Hi,

In the Authorization object

AUTHORITY-CHECK OBJECT 'Z_CUS_SERV'

ID 'ACTVT' FIELD '02'

ID 'ZUSRGRP' FIELD lv_cust_serv.

let it be any value passing thru lv_cust_serv variable. if that value is assigned to the respective user in his profile then sy-Subrc check will return 0 else you pass any error message.

AUTHORITY-CHECK OBJECT 'Z_CUS_SERV'

ID 'ACTVT' FIELD '02'

ID 'ZUSRGRP' FIELD lv_cust_serv.

if sy-subrc ne 0.

message e(000) with ' You are not authorized'.

endif.

Hope this is help ful to you.

Thanks

Eswar

Former Member · ‎03-18-2010

Hi the field lv_cust_serv should have values which are acceptable for the data element ZUSRGRP

Former Member · ‎03-18-2010

Hi,

In the Authorization object

AUTHORITY-CHECK OBJECT 'Z_CUS_SERV'

ID 'ACTVT' FIELD '02'

ID 'ZUSRGRP' FIELD lv_cust_serv.

let it be any value passing thru lv_cust_serv variable. if that value is assigned to the respective user in his profile then sy-Subrc check will return 0 else you pass any error message.

AUTHORITY-CHECK OBJECT 'Z_CUS_SERV'

ID 'ACTVT' FIELD '02'

ID 'ZUSRGRP' FIELD lv_cust_serv.

if sy-subrc ne 0.

message e(000) with ' You are not authorized'.

endif.

Hope this is help ful to you.

Thanks

Eswar

Former Member · ‎03-18-2010

Hi ,

Thanks for the reply .

Is it enough to just specify this

AUTHORITY-CHECK OBJECT 'Z_CUS_SERV'

ID 'ACTVT' FIELD '02'

excluding the other field in object ?

As this object is assigned to role and inturn role is assigned to user profile.

or should we have to pass the exact role name in the ID 'ZUSRGRP' FIELD lv_cust_serv to perform validation ?

Many thanks ,

Kumaran

Former Member · ‎03-18-2010

Hi,

You probably need to read up on the authorisation concept or talk to a security guy to really understand this.

Anyway, based on what you've said here's what I think you need.

Firstly, forget about the role name or the profile name, your program should not know or care what the role is called.

So, you've created an object Z_CUS_SERV with fields ACTVT and ZUSRGRP. The field ACTVT is used to determine the type of access Create/Change/Display/Delete etc, so if you need the check the type of access to grant the user you need this. From your original explanation of the requirement I don't think you do, you've pretty much a binary check, the button can only be clicked if you're in Customer service. This is where ZUSRGRP comes in, this could be used to check the group the use belongs to. But the value can only be Customer Service or nothing, so do you really need it? I don't think so, as you can use just the object to make the check.

Your security guy (or girl) should create a role that contains the object Z_CUS_SERV and only give this role to users in the Customer Service group. In your code you should just check;


AUTHORITY-CHECK OBJECT 'Z_CUS_SERV'.
IF SY-SUBRC EQ 0.
* User has the authorisation object in their role therefor is in Customer Service, display the button
ELSE.
* User does not have the authorisation object in their role, so is not in Customer Service, hide the button
ENDIF.

Regards,

Nick