cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to assign a BAPI to Role in SAP HR

Go to solution
Former Member

on ‎09-11-2008 2:16 AM

0 Kudos

Hello gurus,

I have a requirement in which i need to assign a set of Bapis and RFC from SAP HR to a Role and then this role to a user. I have few questions here

1. How to assign only a BAPI to role

2. How to assign a Remote Function to a Role/Profile (in PFCG)

3. Do i need to take care of underlined Infotype for Authorization purpose, as bapis are acessing further some Infotypes from HR module. so do i need to assign Infotypes to roles also.

4. How to find Object related to a BAPI or Remote Function

Points for sure for any reply.

Mani

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member181966
Active Contributor
‎09-11-2008 12:15 PM
0 Kudos

1- S_DEVELOP ABAP Workbench

2- RFC Auth Objects

S_RFC Authorization Check for RFC Access

S_RFCACL Authorization Check for RFC User (e.g. Trusted System)

S_RFC_ADM Administration for RFC Destination

S_RFC_SHLP Authorization to Use a Search Help via RFC

3- You dont need to check underlined ITs`. It should be taken care by your existing HR ITs Auth .

4- Look for SE37 and search "BAPI" "RH" & "HR" for pckage = p*

Good Luck

^Saquib

Show replies
Show replies
Former Member
‎09-11-2008 2:26 PM
0 Kudos

thanks a lot,

Well i think you took it other side from developer point of view, to make it crystal clear I have some BAPI(or BAPI enabled function module) in r/3 system named below

BAPI_ORGUNITEXT_DATA_GET - using Infotypes PA0002, PA0105 etc to read, write and modify data

BAPI_EMPLOYEE_GETDATA - using Infotypes PA0001 etc to read, write and modify data

I want to make a USER and assign him ROLE through which he can only access and Manipulate these bapis using Jco and .net technology to integrate it to other non-SAPsystem, Assuming the user dont have any other authorization.

what are the OBJECT i need to assign to this user role.

in the 4th point i mean to know BAPI Authorization Object that i need to assign to ROLE.

I hope i cleared my point.

thanks

Mani

Edited by: mandy on Sep 11, 2008 9:27 AM

former_member181966
Active Contributor
‎09-11-2008 3:38 PM
0 Kudos

Go to your role via t-code PFCG and do the following thing !

Manually Basis - Development Environment

5 Changed ABAP Workbench

5 Changed ABAP Workbench

Activity Display, Execute

Package *

Object name "YOUR BAPI NAME "

Object type *

Authorization group ABAP/4 pro Z*

^Saquib

Former Member
‎09-11-2008 8:33 PM
0 Kudos

thanks a lot for prompt reply, i still have few questions

Do i need to confgure the Infotype Authorization Object also like P_ORGIN to access infotype

Do i need to configure Authority object for for the Funcrion Group also where my Bapi** functions resides. like BAPI_ORGUNITEXT_DATA_GET resides in Function group RH_ORGPUB_APP.

i will really appreciate any reply on the same.

How do i test it from SAP and NON-SAP system any comment is addition to this requirement. i will gve you full mark anyway.

thanks

Mani

Edited by: mandy on Sep 11, 2008 3:33 PM

former_member181966
Active Contributor
‎09-12-2008 2:24 PM
0 Kudos

Do i need to confgure the Infotype Authorization Object also like P_ORGIN to access infotype

~ Yes

Do i need to configure Authority object for for the Funcrion Group also where my Bapi** functions resides. like BAPI_ORGUNITEXT_DATA_GET resides in Function group RH_ORGPUB_APP.

i will really appreciate any reply on the same.

~ Yes

How do i test it from SAP and NON-SAP system any comment is addition to this requirement. i will gve you full mark anyway.

From SAP side , you should get auth error .. and from Non-SAP sys you should get no data or ( you can write some code to check auth for above objects and raise error message and send it to non-SAP system .

i will gve you full mark anyway .

hmmmmmm, I aint only answer for Marks

Former Member
‎09-17-2008 11:20 PM
0 Kudos

Hello Guru,

well the things sounds not working, I did the negetive testing, i mean removing all the authorization from the user. He can access these FM and infotype without any restriction. It was a bit shocking.

1. Do we need to code in programming to check the authorization object for further processing ?

Cause i am using a standard BAPI and it might be possible that they are not using object based Authorization checks rather position based checks.

2. If i want to block access to other systems through RFC to some rfc enabled FM (in our case BAPIs), do i need to do something even if i have no any authorization in the user profile(I deleted all the roles and profiles assigned to user still i can access data from system through RFC).

3. how can i block access to rfc enabled FM.

thanks

Mandeep

Answers (1)

Answers (1)

Former Member
‎09-11-2008 10:14 AM
0 Kudos

Hi

The authorization object is S_DEVELOP. You can check all the authorization objects through TCode SU21.

Show replies
Show replies
Ask a Question