Solved: difference between checking Objects in SU24 and in...

sreekanth_sunkara · ‎10-15-2008

Hi all,

What is the difference between objects checked in SU24 and the objects checked in ABAP Code.

I think if objects are even checked to No in SU24 and they are in ABAP code then user is able is able to execute that object, is this correct?

and vice versa, if objects are checked to yes in su24 and not in the ABAP code then user wont be able to excute? is this correct

or what is the purpose of maintaing objects both in SU24 and in ABAP Code.

Thanks,

Sun

Former Member · ‎10-15-2008

Hi Sun,

Adding an authorization object to a transaction in SU24 does not mean that the transaction will check for that authorization object. The actual check of the authorization object needs to be in the code. Adding an authorization object in SU24 to a transaction, or adding/changing values for the field will just make that authorization object/field values pop up as defaults for a transaction in PFCG.

The check indicators in the SU24 actually give the inputs necessary for the SAP system to interpret the AUTHORITY-CHECK.

CM = Authorization checks are performed (if coded in the program) AND the authorization object is added in PFCG when the tcode is added to the role menu.

C = Authorization checks are performed (if coded in the program) but the authorization object is NOT added in PFCG when the tcode is added to the role menu.

N = Authorization checks (if coded in the program) will return sy-subrc = 0 even if the user does not have the authorization.

Note, even if an auth obj is made as check n maintain in a tcode this will be of not much use until its hard coded in the program with AUTHORITY CHECK with the field values mentioned.Unless there is authority check how stringent restriction u put in the role will have no significance.

Thanks,

Saby..

Former Member · ‎10-15-2008

Perhaps if you tell us (or give a hint) as to how much you already know, then it is easier to answer more specific questions.

If you look at the top of the forum page for the FAQ sticky thread, or search for SU24, then you will find a lot of information.

I am sure that there are several very interesting aspects worth discussing, the a "vanilla" difference should be clear from the start (if it is not coded, then it will appear not to be there...) but unfortunately there are urban legends circulating in some websites and pubs of disputable reputation which claim otherwise...

Use the search and try it yourself (in a positive way :-).

Cheers,

Julius

jurjen_heeck · ‎10-15-2008

> or what is the purpose of maintaing objects both in SU24 and in ABAP Code.

Basically, authority-checks need to be coded into the abap to work. To suit as many customers' needs as possible there are a lot of checks some customers do not need.

Since it is the easier way around to disable unwanted checks, rather than having to add checks to standard SAP programs, the unwanted checks can be disabled in SU24.

Former Member · ‎10-15-2008

Hi Sun,

Adding an authorization object to a transaction in SU24 does not mean that the transaction will check for that authorization object. The actual check of the authorization object needs to be in the code. Adding an authorization object in SU24 to a transaction, or adding/changing values for the field will just make that authorization object/field values pop up as defaults for a transaction in PFCG.

The check indicators in the SU24 actually give the inputs necessary for the SAP system to interpret the AUTHORITY-CHECK.

CM = Authorization checks are performed (if coded in the program) AND the authorization object is added in PFCG when the tcode is added to the role menu.

C = Authorization checks are performed (if coded in the program) but the authorization object is NOT added in PFCG when the tcode is added to the role menu.

N = Authorization checks (if coded in the program) will return sy-subrc = 0 even if the user does not have the authorization.

Note, even if an auth obj is made as check n maintain in a tcode this will be of not much use until its hard coded in the program with AUTHORITY CHECK with the field values mentioned.Unless there is authority check how stringent restriction u put in the role will have no significance.

Thanks,

Saby..

Bernhard_SAP · ‎10-15-2008

...this extract of the documentation of SU24 is not valid anymore for systems <=7.00...

b.rgds, Bernhard

sreekanth_sunkara · ‎10-15-2008

Hi Sabyasachi,

So, based on my understanding,

If user excutes a particular transaction, it will look for the tcode in SE93 and if it valid then it will go to the ABAP code directly and look for the object that he is executing and will make sure that object is made as AUTHORITY-CHECK in the ABAP Code. is this correct? i.e. if the object that user is looking for is not in ABAP code or not made under AUTHORITY-CHECK then it will fail irespective of maintaing object to YES or NO in SU24 is this correct?

so maintaining object in SU24 is only for inserting objects in PFCG right?

that means, if even object is check to No in SU24 still user can excute the object if the authority-check for that object is in ABAP code.

Sorry, i am in confusion, please help

thanks,

Sun

Former Member · ‎10-15-2008

Hi Sun,

Whenever a txn is executed, it triggers an ABAP program to run.The permission level /limitation to the txn is controlled via auth object.If an auth object in the program has been mentioned as AUTHORITY-CHECK then on execution of the txn, the program will check if the user who is trying to access the txn has access to the same auth. object in his user profile.

This is irrespective of what has been the settings in SU24 i.e C or M or CM etc..

Thanks,

Saby..

sreekanth_sunkara · ‎10-15-2008

hi,

now i am clear, so one more last question. SU24 is only to update tables USOBT_C and USOBT_C plus to maintain values globally. is this correct?

So if do not check the object as yes in SU24 still by abap code user will be able to access the transaction with out any problem right?

or do we need to make objects check to check/.maintain so that this object will be in user role and abap code will compare its code with this object values in the user role?

thanks again

thanks,

Sun,

Former Member · ‎10-15-2008

Hi Sun,

It is a good practice to maintain the objects in SU24 because the authorization object is added in PFCG when the tcode is added to the role menu.

USOBT, is a table that consists of transactions and authorisation objects. It stores default values of authorisation from authorisation objects.

USOBX, is a table that defines the necessary authorisation checks that needs to be performed within a transaction.Initially both tables USOBT and USOBX consists of default values. These two tables are then used for fill up of the customer tables USBOT_C and USOBT_X through the transaction SU25.

SU24 maintains the assignment of authorisation objects in the customer tables USOBT_C and USOBX_C.

Thanks,

Saby..

sreekanth_sunkara · ‎10-15-2008

Ok thanks a lot for your help. i understand that.

but one more last doubt, what will happen if assign a user a tcode for ex: SM30 and i maintain all field values in ABAP code (AUTHORITY-CHECK) and did not maintain any thing in SU24. will the user be able to execute it with out any problems or will he get an authorization error.

This is my last question,

thanks in advance,

Sun

Former Member · ‎10-15-2008

Hi Sun,

To your Q.

what will happen if assign a user a tcode for ex: SM30 and i maintain all field values in ABAP code (AUTHORITY-CHECK) and did not maintain any thing in SU24. will the user be able to execute it with out any problems or will he get an authorization error.

If you've hard coded the authorization object with all the field values in the program for a particular txn then the user will be able to execute it without any hassle only if the user's profile also contains the relevant authorization which is contained in the program.

Thanks,

Saby..

sreekanth_sunkara · ‎10-15-2008

hi thanks a lot,

that means if we add it manually. right? other wise with out maintaining (chekc/ Maintain) it in SU24 how this authorization will be in the user profile.

thanks,

Sun

Edited by: sun on Oct 15, 2008 9:41 PM

Former Member · ‎10-16-2008

This is what is known in German as a "Schwerer Geburt"... (not sure whether there is an English term which has the same meaning)...

When you searched, did you read this thread?:

>


> My understanding of this confusion is ... 
>
> ... SAP's development systems deem an "unknown" check to be successfull until specifiied for a check (this is different in customer systems - which leads many to believe that adding and removing check indicators from SU24 will add and remove authority-checks....), 
>
> ...This problem then reproduces itself both in SU53 and ST01 once the SU22 / SU24 error has been made.
>
> ...It is one of those things which you need to know or find on your own (not too difficult), otherwise you simple don't know it.

It is context specific, when the context is known to the customer system where the code is running => You cannot activate a check in SU24 if it is not coded anywhere (please distingish between starting a transaction, using it, and navigating further from that transaction...). The only case where SAP does what you seem to be assuming (or hoping for...) is infact to turn an authority-check off in some cases or to make the calling context known when it is remote (in which case sy-tcode or the entry point context is not known)...

*It is not to turn the check on when it is not coded anywhere!!!

Perhaps you would like to phrase your final question just one more time.

Cheers,

Julius

sreekanth_sunkara · ‎10-16-2008

Thanks a lot to all of you.

I understood the concept fully now

thanks,

Sun

difference between checking Objects in SU24 and in ABAP code