Solved: question about BDT screen security

Former Member · ‎08-25-2008

Hello this is jindal and please advise me about following topics.

Instead of using structural authorization becuase of performance issues and user requirements i am trying to use HRBAS00INFTY BADI for security check.

In our case, every user can inquary any students but update is restricted to certain department so i am using HRBAS00INFTY.

1) using HRBAS00INFTY badi, i only check whether certain user have update (add/change/delete) authority

and it working very well with relation to infotype.

2) but we also have BDT screen and it is not IT.

do we have any BADI that i can use similar to HRBAS00INFTY badi.

3) if we can add this kind of standard in the security, customers would be more happy.

Thanks in advance,

jin dal

Former Member · ‎08-25-2008

Hi Jindal,

The BAdI HRBAS00INFTY can be used for HR infotypes. As Jeroen rightly daid, you can use event AUTH1 for providing your authorization check. The event AUTH1 will be called when the call is made to the first data screen from the initial screen. The event is also called before saving. So you can create a function module for this event for your application object and put your logic for authorization in that function module.

More details you can see in the development guideline for BDTs

Ajeesh

View solution in original post

Former Member · ‎08-25-2008

Hi jin dal,

Authority Checks for BDT Objects: For the BP, Contract Account and Contract Object Master Records additional authorization checks can be implemented using the event AUTH1 of the BDT Toolset. Further information can be found in the developer guide for the BDT toolset in the SAP online documentation.

Jeroen

Former Member · ‎08-25-2008

Hi Jindal,

The BAdI HRBAS00INFTY can be used for HR infotypes. As Jeroen rightly daid, you can use event AUTH1 for providing your authorization check. The event AUTH1 will be called when the call is made to the first data screen from the initial screen. The event is also called before saving. So you can create a function module for this event for your application object and put your logic for authorization in that function module.

More details you can see in the development guideline for BDTs

Ajeesh

Former Member · ‎08-26-2008

Hi Ajeesh,

Can you give me a little more detail information about Event.

How can i find out ?. it is in the IMG or T-code ?.

I do not have any knowledge about Event and AUTH1.

your help would be appreciated.

regards,

jin dal

Former Member · ‎08-26-2008

Hi Jin dal,

In BDT framework, events are raised at different points so that customers can make use of them. The event AUTH1 is called before the call to first data screen. So you can create a function module which check for authorization and assign this function module for event AUTH1.

You can do this using transaction BUS7.

This will list out all events for application object BUPA. Now choose the event AUTH1 and click on the sub-tree on left to assign the function module. Give your function module name, put 'X' to call field, and then you need to choose an application. We have two applications. For all student master data screens except related persons tab use the application 'PSCM'. For 'related persons' tab screen , use application object 'PSCI'.

To get more details on how to write function module for the events, please have a look here

http://help.sap.com/erp2005_ehp_03/helpdata/EN/35/696d360856e808e10000009b38f839/frameset.htm

and

http://help.sap.com/erp2005_ehp_03/helpdata/EN/35/696d360856e808e10000009b38f839/frameset.htm

regards,

Ajeesh

Former Member · ‎08-28-2008

Hello Ajeesh,

This is jin dal and i meet errors in visiting studies and as you know it is standard.

I add some logic in HRBAS00INFTY as follows.

I think "PERFORM .. ON COMMIT" has caused error and in my test user develpment screen

PERFORM ..

ON COMMIT is in the different line there is no error.

please have a look at our program logic and if there is mistakes let me know it.

-

Program source -

loop at new_image into ls_new_image.

l_infty = ls_new_image-infty.

call function 'ZCM_CHECK_AUTH01'

exporting

i_otype = 'ST'

i_objid = l_objst

I_PROCESS =

i_infty = l_infty

exceptions

no_authority = 1

others = 2

.

if sy-subrc <> 0.

clearbuffer.

message id sy-msgid type sy-msgty number sy-msgno

with sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.

return .

endif.

FUNCTION zcm_check_auth01.

CLEAR: g_orgeh.

CASE i_otype.

WHEN 'ST'.

IF NOT i_infty IS INITIAL.

CASE i_infty.

WHEN

'1714' OR

'9545' OR

'9720' OR

'9502' OR

'9580' OR

'9540' OR

'9560' OR

'9610' OR

'9650' OR

'9670' OR

'9630' OR

'9620' OR

'9635' OR

'9750' OR

'1702' OR

'1705' OR

'1711' OR

'1712' OR

'1718' OR

'1703' OR

'9590' OR

'9550' OR

'9500' OR

'9520' OR

'9531' OR

'9570' OR

'9512' OR

'9660' OR

'9680' OR

'9641'.

WHEN OTHERS.

RETURN.

ENDCASE.

ENDIF.

학생의 학과 조회

CALL FUNCTION 'ZCM_KDT_BP_ST_DERIVED_ORG1'

EXPORTING

PLANVERSION = '01'
PARTNER =

objectid = i_objid

PIQSTUDENT =

read_texts = ' '

KEY_DATE = SY-DATUM
OPTION =

IMPORTING

ex_d_objid = g_d_objid

EX_D_SHORT =
EX_D_STEXT =
EX_P_OBJID =
EX_P_SHORT =
EX_P_STEXT =

.

g_orgeh = g_d_objid. CLEAR g_d_objid.

SELECT SINGLE *

FROM t77ua

WHERE uname = sy-uname

AND profl = g_orgeh

AND begda <= sy-datum

AND endda >= sy-datum.

IF sy-subrc <> 0.

MESSAGE e186 RAISING no_authority. "데이터를 업데이트 할 수 있는 권한이 없습니다.

ENDIF.

PERFORM .. ON COMMIT part got an error

Former Member · ‎08-29-2008

Hi Jin dal,

Can i ask you which is the method that you are trying to implement from BAdI HABAS00INFTY? If you wish to check the authorization, may be you use the method BEFORE_OUTPUT.

The method IN_UPDATE will be called while making the update to the database. If you are making some checks here and if the checks failed, then then entire application should be rolled back. So you must throw an abort message in the method implementation. This means that the checks that you do here are those checks which would either results in a data roll back or data commit. So if you have raised messages, they obviously result in dumps. Also DO NOT COMMIT inside this method.

May be you can analyse the reason of the dump from transaction ST22.

If you can paste the dump log, may be i can suggest you what went wrong.

Kind regards,

Ajeesh

Former Member · ‎08-29-2008

Hello Ajeesh,

I will send you dump message by monday but only Visiting studies i met error which means except Visiting studies everything is Ok including user developed infotype and standard infotype.

By analysing ST22 we changed my user develped program source not to includ ON COMMIT

but i think, visiting studies looks have this ON COMMIT source and it only have problem.

we also tested in update and before update and visiting studies looks ON commit so i asked to develop center whether they can change program source not to include ON COMMIT.

by the way i am also testing for security check in BP master but takes times. if you can send me some sample source that can check security i will be happy.

i am checking as follows for info type security.

if customers trying to change some student who are not belong to my org unit, i just send an error saying you are not authorized to update this student.

thanks in advance.

jin dal

Former Member · ‎09-01-2008

Hello Ajeesh,

I got a message from develop center saying they will change Visiting studies program not to incoude ON COMMIT.

regards,

jin dal

Former Member · ‎09-02-2008

Hello Ajeesh,

I add program as follows and i am testing but looks no problem.

if you have any recommendation, please let me know.

By the way if i want to give display authorization for BDT screen, technical topics says i gave to use field group 0009 but it is not working well.

Can you recommend what authorization Object i have to use and my function module can influence it.

regards,

jin dal

-

Event AUTH1

3700000 ZCM_EVENT_AUTH1 X PSCM

function zcm_event_auth1.

*"----

""Local Interface:

*"----

get activity

data: l_aktyp type tbz0k-aktyp.

call function 'BUS_PARAMETERS_ISSTA_GET'

importing

e_aktyp = l_aktyp.

check l_aktyp <> '03'. "disyplay가 아닐때

case sy-ucomm.

when 'SAVE' or

'YES' or

'OPT1'. "save 일때

when others.

return.

endcase.

get instance id

data: l_instance_count type i,

lt_instances like bdt_instance occurs 0 with header line,

l_instance_id type bdt_instance_id.

call function 'BDT_CLASS_ATTRIBUTES_GET'

importing

ev_instance_count = l_instance_count

tables

et_instances = lt_instances.

if l_instance_count > 0.

read table lt_instances index 1.

l_instance_id = lt_instances-instance_id.

else.

l_instance_id = '1'.

endif.

data modified ?

data: l_xchng type boole_d .

call function 'BDT_DATA_MODIFIED'

exporting

iv_handle = l_instance_id

importing

ev_xchng = l_xchng

exceptions

handle_not_found = 1

others = 2

.

if sy-subrc <> 0.

MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.

endif.

if sy-subrc = 0.

check l_xchng <> ''.

endif.

get student object id

data: l_pon type hrp1001-objid.

get parameter id 'STUDENT' field l_pon.

check authority

call function 'ZCM_CHECK_AUTH01'

exporting

i_otype = 'ST'

i_objid = l_pon

I_PROCESS =

i_infty = c_bupa_infty

exceptions

no_authority = 1

others = 2

.

if sy-subrc <> 0.

call function 'BUS_MESSAGE_STORE'

exporting

arbgb = sy-msgid

msgty = sy-msgty

txtnr = sy-msgno

msgv1 = sy-msgv1

msgv2 = sy-msgv2

msgv3 = sy-msgv3

msgv4 = sy-msgv4.

endif.

endfunction.