The user is only assigned to the role containing transaction CATM.

This role contains authorization objects M_BEST_EKO and M_BEST_EKG with the following authorizations:

M_BEST_EKO-ACTVT = 01, 02, 03, 04, 06, 08, 09, 75, 76

M_BEST_EKO-EKORG = 1000

M_BEST_EKG-ACTVT = 01, 02, 03, 04, 06, 08, 09, 75, 76

M_BEST_EKG-EKGRP = 0 - 099

The purchase order created for the tests is assigned to purchasing organization 1000 and purchasing group 101.

I can see in the trace that the user is not authorized for authorization object M_BEST_EKG because the purchasing group is not in the range. Unfortunately the process is not interrupted and the entry sheet is created.

If I try with another testuser assigned to a role with another purchasing organization I can see in the trace that the user is not authorized for authorization object M_BEST_EKO because the purchasing organization is different but once again he is able to create an entry sheet.

Edited by: Vince Bl. on Mar 12, 2009 9:45 AM

Hi Vince,

it seems these are the values that you have provided. Can you check what values actually come in using a trace? Just to be sure.

Also I would try avoiding the number range, instead try and selecting the purchase groups manually as they are usually 3 characters long, and at times not finding an exact match in CHAR values does cause a problem.

Regards,

CP

Hi Chinmaya,

Here is the trace with TESTUSER1 with purchasing org OK and purchasing group NOK

09:44:47:346 AUTH - - - M_BEST_EKO RC=0 ACTVT=08;EKORG=1000;

09:44:47:352 AUTH - - - M_BEST_EKG RC=4 ACTVT=08;EKGRP=101;

09:44:47:352 AUTH - - - M_BEST_EKO RC=0 ACTVT=75;EKORG=1000;

09:44:47:352 AUTH - - - M_BEST_EKG RC=4 ACTVT=75;EKGRP=101;

Here is the trace with TESTUSER2 with purchasing org NOK and purchasing group NOK

10:25:12:741 AUTH - - - M_BEST_EKO RC=4 ACTVT=08;EKORG=1000;

10:25:12:741 AUTH - - - M_BEST_EKO RC=4 ACTVT=75;EKORG=1000;

Nothing else appear in the trace after those rows.

I dont think the range is an issue because I have exactly the same problem with the purchasing organization which is a single value.

Thanks a lot for your help.

Edited by: Vince Bl. on Mar 12, 2009 10:38 AM

Well the authorization trace is correct.. It is giving a RC of 4 for purchase group of 101 in case of testuser1. Same is the case with testuser 2 They are returning RC4. So authorization check is failing.

I cant think if any other reason why it is going further!

Just to be doubly sure you might want to have it debugged and have a break-point on all function calls of Authority-check or some other manual override in one of the user exits.

Best Wishes,

CP

I debugged and I think the program does not use the result of the authority form in the next steps.

This is probably because a part of the code used in transaction CATM is also used in ML81N.

There is nothing to do more as it is finally not an issue for the business.

Thank you for your help anyway.

Best regards,

Vince

This is a nice example of why one should be very carefull when reading trace files and not blindly build roles from them.

The ST01 trace will tell you whether an object was checked (if the program reached the check at all), but it will not tell you whether and how the program reacted to the result of the check, nor whether the result of the check was deemed successfull by the ABAP system configuration even although the user might not be authorized (this last feature will however hopefully be solved sometime soon by an enhancement).

For that there is only the source code and consistency in the use cases, and learning the objects and what they are usefull for and where they should not be used (even although some coding blocks are reused).

Perhaps a better solution in this case (which would not require debugging...) would be to react to the authority-check, but then turn it to a "No Check" in SU24 for that context, so that it is more transparent what the developer has done.

Cheers,

Julius