Adding New Auth Object to a Tx

Former Member · ‎09-18-2008

I am facing problem in adding client specific Auth restriction in a Tx: CJ20n.

I tried makig new aurth object with u201Cauth fieldsu201D containg the above fileds . And added the Auth object to Tx : CJ20n using su24.

But it is not checking the Auth Oject at all. I am not sure if some Authority-check needs to need to be coded in CJ20n program. I spoke to ABAPer to modify the STD CJ20n program to insert AUTHORITY-CHECK but he said it will be a huge modification and such things should be avoided, even I feel the same.

Let me know what are the possible solutions and how to go about it.

Details of the Requirement:

In Tx: CJ20n which is PS Project Builder. We need to implement a specific senario in which Project builder (CJ20n) the WBS elements are to restricted on basis of HR positions.

Assignment of WBS elements to project team is done in the same tcode. In which a Relationship between WBS element and HR postion is doneu2026.And HR postion in turn is assigned to a user id.

Requirement :

Not sure of the funtionality provided by SAP of the above assignment. It just assigns team members to the WBS elements but dose not restic the access of that WBS elements only to those assigned users.We need to restric this WBS elemets according to the assigments made here.

i.e. for eg. only user whos are assigned to HR postion u201Cmanageru201D should be able to access WBS element u201CTEST(00000106)u201D

Difficulty:

NON of the auth objects provided by SAP in su24 contain HR position as field. Hence not able to check the postion of the user accessing the WBS element.

Further Findings:

The above relation is stored in two different tables

Table 1 : PRPS

field name1: POSID (contains wbs project)

field name2: OBJNR (WBS id)

Table 2 : HRPS1001

field name1: SOBID (WBS id)

field name2: OBJID (HR position id)

jurjen_heeck · ‎09-18-2008

> I tried makig new aurth object with u201Cauth fieldsu201D containg the above fileds . And added the Auth object to Tx : CJ20n using su24.

> But it is not checking the Auth Oject at all. I am not sure if some Authority-check needs to need to be coded in CJ20n program. I spoke to ABAPer to modify the STD CJ20n program to insert AUTHORITY-CHECK but he said it will be a huge modification and such things should be avoided, even I feel the same.

I think your abaper is right. Authority checks need to be in the code to work. One thing that is worth investigating is the availability of user exits in the program. Maybe there is one in the right part of the program that can be activated to create additional authorization checks.

I do not know enough about CJ20n to comment on your requirements.

Jurjen

Former Member · ‎09-18-2008

Its vierd that SAP needs us to modify std code to add new authorization reqirements...

I belive CJ20n has something called User Fileds. But PS consultant is relectant to use it as an option for this.

jurjen_heeck · ‎09-18-2008

> Its vierd that SAP needs us to modify std code to add new authorization reqirements...

Supposing you meant "weird", I have to disagree. It is impossible for a software company to satisfy everybodies' needs in advance.

They try very hard, so quite a lot of programs come with additional authority-checks which are disabled throught SU24 by default. Also user-exits create the possibility to add authority checks or other customer enhancements without having to change SAP code.

Maybe someone else can comment on the user fields you mentioned. Why is the PS consultant reluctant to use those? What is the motivation not to use them?

Jurjen

Former Member · ‎09-18-2008

There are10 user fields available. I believe he want to use it for other purposes.

But the question here is not just about this perticulat Tx .

But for any other tx for which there is no std Auth ojbect which satisfy the security need , modification is nessary in the abap code it self.

No ther options available ?

Former Member · ‎09-18-2008

Actually that's the option from SAP that it allows custom development to meet company specific requirements. I agree with Jurjen that it is not possible for SAP ( as a matter of fact, anyone) to develop something which meets everyones requirements.

Regards,

Zaheer

Former Member · ‎09-18-2008

Hi Hussain

> But the question here is not just about this perticulat Tx .

and...

> But for any other tx...

I have also asked such questions.

Your best bet is to identify the point at which you want this functionality (a function module, or a method of whatever class...) and then focus on SAP note # 11.

The idea behind this (note 11) is to differentiate between specific implementation wishes and "big enough" requirements.

Depending on the size, you might get:

- Nothing (choice of transaction is incorrect, or functionality is simply not foreseen)

- An enhancement point.

- A configurable or activatable check.

- A future standard solution.

- A downportable backward compatable fix.

In addition to respecting the software logistics, we should also respect other (standard) customers.

Cheers,

Julius

Former Member · ‎09-19-2008

What I can do in such a case of MIssing funtionality is check with ABAPer if some enhancement or User exit exists .

If not can I raise a OSS msg and ask SAP if they have a work around or if they can include it in next support pack?

P.S.

>Julius

>In addition to respecting the software logistics, we should also respect other (standard) customers.

I didnt get you ????

Former Member · ‎09-19-2008

> I didnt get you ????

What I meant is that if the checks are added to the standard system, then they are added for everyone (with a standard system).

Cheers,

Julius

Former Member · ‎02-11-2009

Ok accepted the SAP standards. ANd have to find out some unique way for work with my unique requirement.