Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorization check in SAP Queries.

Go to solution
jaideepsharma
Active Contributor

‎06-17-2009 9:49 AM

0 Kudos

Hi All,

We have created a SAP query and infoset for displaying invoices. We want to restrict the users from viewing data of company code for which they don't have display authorization. For instance if user is authorized only for displaying data for US company code then he should not be able to see the data for company Italy. Also the company code parameter is a select option in SAP query.

So the user can enter '*' also. In that case we want to display the data for all company codes for which user is authorized to. We tried to do change in code in infoset on AT SELECTION SCREEN but its not working as the variables in the program generated for query are not visible in Infosets. Please let us know how can we fix this requirement.

KR Jaideep,

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎06-17-2009 10:00 AM

0 Kudos

Hi,

Code the Authority-check in section 6 - END-OF-SELECTION.

For example:

AUTHORITY-CHECK OBJECT 'V_KONH_VKO'

ID 'VKORG' FIELD A910-VKORG

ID 'SPART' FIELD '10'

ID 'ACTVT' FIELD '03'.

if sy-subrc <> 0.

MESSAGE 'Insufficient Authorization.Some data is truncated.' TYPE 'I'.

CONTINUE.

endif.

11 REPLIES 11

Go to solution
Former Member

‎06-17-2009 10:00 AM

0 Kudos

Hi,

Code the Authority-check in section 6 - END-OF-SELECTION.

For example:

AUTHORITY-CHECK OBJECT 'V_KONH_VKO'

ID 'VKORG' FIELD A910-VKORG

ID 'SPART' FIELD '10'

ID 'ACTVT' FIELD '03'.

if sy-subrc <> 0.

MESSAGE 'Insufficient Authorization.Some data is truncated.' TYPE 'I'.

CONTINUE.

endif.

Go to solution
saumya_govil
Active Contributor

‎06-17-2009 10:08 AM

0 Kudos

Hi Jaideep,

Use AUTHORITY-CHECK to restrict access to the database based on user.

Press F1 on AUTHORITY-CHECK to find out how to use it in the code.

Regards,

Saumya

Go to solution
sikindar_a
Active Contributor

‎06-17-2009 10:17 AM

0 Kudos

instead of concentraeteing on the authorisation checks on company code

check with the at the user level

Go to solution
Former Member

‎06-17-2009 10:29 AM

0 Kudos

Hi,

Go to tcode:SQ03 Usergroup, and enter the name of the usergroup or create a new user group.

Choose Assign Users and InfoSets.Enter the names of those users that are to belong to this user group.

Using Settings -> Without Selection, here you have to enter the names of the users manually.

To be able to make changes to queries, the user requires authorization for the authorization object S_QUERY with the value Change.

Using the pushbuttons:

Change Authorization, Select All, give authorization for all users of a user group.

Change Authorization, Delete All, revoke authorization for all users of a user group.

By clicking on the checkbox before the name of a user to set or delete the indicator, you can give or revoke change authorization for individual users.

Also, assign Infoset and Save.

Go to solution
Former Member

‎06-17-2009 11:50 AM

Enchace the infoset and into extras at tab CODE and code selection Record Processing

include a code something like following

AUTHORITY-CHECK OBJECT 'F_SKA1_KTP'
         ID 'KTOPL' FIELD SKA1-KTOPL
         ID 'ACTVT' FIELD '03'.
Check SY-SUBRC EQ '0'.

Go to solution
jaideepsharma
Active Contributor
In response to Former Member

‎06-17-2009 2:47 PM

0 Kudos

Hi All,

Thanks alot for your valuable inputs.

I have made following modifications in the infosets.

*---Authorization for Company code entered by the users.
*---This code will restrict users to see data for company
*---codes which they are not authorized to.
*---Select all the company codes based upon selection entered by the
*---user
 SELECT bukrs
   FROM t001
   INTO TABLE li_bukrs
  WHERE bukrs IN bukrs.
 IF sy-subrc EQ 0.
*---Clear Screen variable for Company code
   CLEAR bukrs.
   REFRESH bukrs.
*---Filter and prepare Select options for Company code table to be
*---passed to query. Table will only have values of company codes he is
*---authorized to for display.
   LOOP AT li_bukrs INTO lwa_bukrs.
     AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
                       ID 'BUKRS' FIELD lwa_bukrs
                       ID 'ACTVT' FIELD '03'.
     IF sy-subrc = 0.
       bukrs-sign = 'I'.
       bukrs-option = 'EQ'.
       bukrs-low = lwa_bukrs.
       bukrs-high = space.
       APPEND bukrs.
     ELSE.
       lv_flag = 'X'.
     ENDIF.
   ENDLOOP.
*---Give warning message to the user in case he is not authorized to see
*---data for all the company codes that he has entered.
   IF lv_flag = 'X'.
     MESSAGE ID 'ZF_MSS_FNG' TYPE 'W' NUMBER '015'.
   ENDIF.
 ENDIF.

Go to solution
Former Member
In response to Former Member

‎06-21-2011 10:50 AM

0 Kudos

Hello,

I'm sorry to bring that old post but I'm in the same situation.

How and where to add your code in the SAP Query ?

When checking the source code, there is an error after the first select so the query couldn't be generated.

"The IN operator with "BUKRS" is followed neither by an internal table nor by a value list."

I managed to add this code directly into the program by replacing "bukrs" by the select-options object refering to company code (ex: SP$00003), but I'd prefer to maintain all this authorization check inside the SAP Query.

Is there any ABAP developer out there who can't help me achieving this authorization check through SAP Query.

Regards,

Thierry Kennes

Go to solution
jaideepsharma
Active Contributor

‎06-17-2009 2:47 PM

0 Kudos

Answered

Go to solution
Shivaji16
Active Participant

‎07-11-2009 5:49 PM

0 Kudos

Hello Jaideep,

How are you..!!

I have a similar requirement regarding Authority checks for selection screen inputs in a SAP Query,

Could you please share the resolution for this issue..!!

Thanks

Best Regards,

Shivaji Gannavarapu

Edited by: SHIVAJI GANNAVARAPU on Jul 11, 2009 10:27 PM

Go to solution
former_member602203
Participant

‎09-12-2019 7:49 AM

0 Kudos

Hi,

there is a problem with the above mentioned authorization check in SQ02. If you enter * (Wildcard) for e.g. plant field, the authorization check DOSN'T work correct!

Update: I found the solution for the Wildcard * issue. Now it is working fine...

Go to solution
former_member260398
Explorer
In response to former_member602203

‎10-04-2019 1:24 PM

0 Kudos

Hi,

you are right the one marked as "best Answer" doesn't work for range or Wildcard.

I have made a blog post to solve this issue. The blog is inspired by the reply given by Jaideep in this thread on 17 June 2019. The code of Jaideep has just a small error. If the user has not auth at all he will see everything.

https://blogs.sap.com/2015/11/23/custom-authorization-in-sq01-queries/

In the example i'm going to read all Company codes based on the selection then I check the authorization for all of them.

If it succeed I put them back as selection of the query.

This way I ensure that only company codes he is allows are displayed.

You can do the same way with the plant. Read the plants based on the selection from table T001W then make the auth check.

Best regards

Yannick