09-11-2014 11:42 AM
Hi Experts,
I have an issue regarding rules and authorization.
I have created a program with 2 radio buttons transfer and backload. The requirement in authorization is not all users can access both; some can only access transfer and some can access backload only. (r_trans,r_back)
The basis told me that they need an authorization object in order for them to block/separate the transaction for transfer and backload.
Is there a way for me to modify the program and put an authorization object with my radio button? or is it possible to do this with the current program?
Thanks!
09-11-2014 12:31 PM
Hi,
Another option is to assign a different transaction to the program .
Like sap do (MM01,MM02,MM03) .
And in the program hide the unrelevant buttons base on sy-tcode .
The transaction can be assign to a role .
IMHO hiding is more user friendly .
Regards.
09-11-2014 11:53 AM
Hi,
the SAP logic is to test the authorization after user start program. You just check if he ask transfer if he could .. or if he ask backload ....
you don't need to create two object, you could create one object with a field that contain 2 possibles values. SU20 SU21
regards
Fred
09-11-2014 11:55 AM
Hi
You should create an authorization object having 2 activities, for example:
- 01: Transfer
- 02: Backload
So you can check the object in the AT SELECTION-SCREEN event of your program:
AT SELECTION-SCREEN.
CASE 'X'.
WHEN <RADIOBUTTON 1>. ACTIVITY = '01'.
WHEN <RADIOBUTTON 2>. ACTIVITY = '02'.
ENDCASE.
AUTHORITY-CHECK OBJECT <YOUR OBJECT>
ID 'ACTIVITY' FIELD ACTIVITY.
IF SY-SUBRC = 0.
user is author.
ELSE.
user is not author.
ENDIF.
Max
09-11-2014 12:11 PM
Hi,
Thanks for the reply,
Our basis is using PFCG for roles and authorization , how can they check if my authorization object was created using that code?
Here is my code: Im getting sy-subrc = 12.
IF r_trans EQ 'X'.
AUTHORITY-CHECK OBJECT 'ZACTIVITY'
ID 'ACTVT' FIELD '01'.
IF sy-subrc NE '0'.
MESSAGE 'User not authorized' TYPE 'S'.
LEAVE LIST-PROCESSING.
ELSE.
MESSAGE 'User is authorized' TYPE 'S'.
LEAVE LIST-PROCESSING.
ENDIF.
ELSEIF r_back EQ 'X'.
AUTHORITY-CHECK OBJECT 'ZACTIVITY'
ID 'ACTVT' FIELD '02'.
IF sy-subrc NE '0'.
MESSAGE 'User not authorized' TYPE 'S'.
ELSE.
MESSAGE 'User is authorized' TYPE 'S'.
ENDIF.
ENDIF.
09-11-2014 12:18 PM
You could also manage the authorization in PBO/AT SELECTION-SCREEN and disabling the forbidden radiobutton (also manage default value) So user wont be able to select unauthorized button, and wont receive some authority failed message.
To identify roles created with PFCG which use your object, call transactions like S_BCE_68001422 or S_BCE_68001425 .
Regards,
Raymond
09-11-2014 12:31 PM
Hi Raymond,
Sorry, but can you please explain it more?
How can I manage the authorization of users in my program? Is there a way that I can manage that without using the PFCG ?
User1 can access transfer button only
User2 can access backload button only
Is there a way that I can do that in my code?
09-11-2014 12:41 PM
I never suggested not to use authorization objects in my answer, read again, I only suggested to hide not allowed option to users, no need to make them bitter or jealous ...
LOAD-OF-PROGRAM
Execute the diverse AUTHORITY-CHECK and save result in global variables,
AT SELECTION-SCREEN OUTPUT
LOOP AT SCREEN and hide radiobutton when not allowed,
Authorization-objects and roles (PFCG) are the way to manage authorization in SAP. Either you create a new object, or as suggested by Eitan, create different transactions (so you would check sy-code in your program), but administrator will also manage authorization for transaction (Authorization object S_TCODE) in some roles for PFCG. Remember that transactions allowed are also to manage in PFCG roles.
Regards,
Raymond
09-11-2014 1:02 PM
Here is my code: Im getting sy-subrc = 12
It means you'haven't the authorization objecy in your profile
Max
09-11-2014 12:31 PM
Hi,
Another option is to assign a different transaction to the program .
Like sap do (MM01,MM02,MM03) .
And in the program hide the unrelevant buttons base on sy-tcode .
The transaction can be assign to a role .
IMHO hiding is more user friendly .
Regards.
09-11-2014 12:37 PM
Hi Jepoy,
If any Tcode we don't have an access we go through the Tcode SU53, and check what are the roles was missed for the users. and the missed roles add to the user the he/she can able to access the Tcode.
execute the authorization object at Initialization event and receive the subrc based on the what activity you have received in the code.
For Program Why don't you try the Check Box Concept.
Case 1:
if the user have the access of Transfer and BackLoad show them as enable, if he select one, un check the other one using the user command field.
Case 2:
If He/she has only access for 1 check box. enable that one grayed out the other one.
Regards
Sudhakar