cancel
Showing results for 
Search instead for 
Did you mean: 

authorisation objects

Former Member
0 Kudos

can anybody help me out how to create authorisation objects.

thanks & regards,

phani.

Accepted Solutions (0)

Answers (6)

Answers (6)

Former Member
0 Kudos

Hi,

Purpose: U want to give access certain users certain output means u want them to be authorized.

if u want to create Authorization object then follow below steps.

1. Goto SU21 TCODE and create new authorization object

Give Object - as ZESDE0153.

Text - as Authorization Object for ZESDE0153

Class - PP [Your Module]

Author - Your ID

Then Give Authorization fields as

ACTION Action of the authorization

ACTIVITY Activity: document distribution

What ever may be your requirement u provide that here.

Then save your authorization object.

2. Then ask your Basis Guys to Create ROLES.

There they will provide Authorization roles for ceratin users certain roles.

3. Then u need to add following code in your main program.

AUTHORITY-CHECK OBJECT 'ZESDE0153'

ID 'ACTIVITY' FIELD ' '.

IF sy-subrc <> 0.

MESSAGE e000(zzpp) WITH text-022.

ENDIF.

Here where ever u put the above code then authorized used can skip the above code

and they can process next part.

Unauthorized users will not be able to process from there.

EX: For some users u may want to give access to process records.

For some users you may want to display output but no authorizaton for Processing.

In that scenario u can go for Authorization object.

In above Role's Means

Suppose there are 5 users in in your company.

Then u have created authorization object.

And added the same in your code.

When u run that program u need to process through.

But when others run they need not process through.

So against you SAP USER ID one ROLE will be created agianst created autorization object like wether U can process/not.

Here is one example by which u can understand ROLE's much better.

Transaction Authorization Object Options Role/Definition D5S TestUserID Password

========= =============== ======== ================ =============== ==========

ZSD_DD250 ZSD_DD250 (S_TCode) None ZS_MN_FRONT_SHOP_MAINT SHOPTEST initpass

ZSD_DD250 ZESDE0153 D,A,C Display Object

D Display a Distribution Log

ZSD_DD250 ZSD_DD250 (S_TCode) None ZS_MM_PLANNING_AND_SCHEDULING PLANTEST initpass

ZSD_DD250 ZESDE0153 D,A,C Display, Add and Change Object

D Display a Distribution Log

ZSD_DD250 ZSD_DD250 (S_TCode) None ZS_MN_MANUFACTURING_OPERATIONS OPERTEST initpass

ZSD_DD250 ZESDE0153 D Display, Add and Change Object

D Display a Distribution Log

I hope these inputs will help you out.

Thanks & Regards,

Prasad.

Former Member
0 Kudos

Hi,

Refer this thread:

Regards,

Gayathri

Former Member
0 Kudos

Hi,

<b>To create Authorization Object</b>

Each authorization object must be assigned to an object class when it is created.

Choose Tools --> ABAP Workbench --> Development --> Other tools --> Authorization objects --> Objects.

You can also create authorization objects in the Object Navigator (SE80).

<b>Creating / Choosing Object Classes</b>

The system displays a list of existing object classes.

Object classes are organized according to the components of the system.

Before you can create a new object, you must define the object class for the component in which you are working. The objects are not overwritten when you install new releases.

You can also define your own object classes. If you do so, select class names that begin with Y or Z to avoid conflicts with SAP names.

<b>Creating an Object</b>

Enter a unique object name and the fields that belong to the object. Object names must begin with the letter Y or Z in accordance with the naming convention for customer-specific objects.

You can enter up to ten authorization fields in an object definition. You must also enter a description of the object and create documentation for it.

Ensure that the object definition matches the AUTHORITY-CHECK calls that refer to the object.

Do not change or delete authorization objects defined by SAP. This disables SAP programs that use the objects.

You can regenerate the profile SAP_ALL after creating an authorization object.

<b>Creating an authorization fields </b>

In authorization objects, authorization fields represent the values to be tested during authorization checks.

To create authorization fields, choose Tools --> ABAP Workbench --> Development --> Other tools --> Authorization objects --> Fields.

To create a authorization field:

1. Choose Create authorization field.

2. On the next screen, enter the name of the field. Field names must be unique and must begin with the letter Y or Z.

3. Assign a data element from the ABAP Dictionary to the field.

4. If desired, enter a check table for the possible entries. For more information about check tables, see Link to the check table. The link provides possible field values. You can also define a value range by way of the area with which a field is associated.

For more information about AUTHORITY-CHECK, see the keyword documentation of the ABAP Editor.

You can often use the fields defined by SAP in your own authorization objects. If you create a new authorization object, you do not need to define your own fields. For example, you can use the SAP field ACTVT in your own authorization objects to represent a wide variety of actions in the system.

Regards,

Sameena

Former Member
0 Kudos

Hi phani,

1. SU21 is the tcode for it.

regards,

amit m.

Former Member
0 Kudos

Hai Phani

Try with this code

In PAI-100

Write Module MOD1.

AUTHORITY-CHECK OBJECT <Object-Name>

ID 'BUKRS' Field V_BUKRS.

ID 'ACTVT' Field '02' '02'--> for Change.

if sy-subrc <> 0.

Message E001 'Your Not Authorized to Enter this Code'.

endif.

Example :

Object Class : FI Field --> F_BKPF_BUK.

AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'

ID 'BUKRS' Field V_BUKRS.

ID 'ACTVT' Field '02'.

For example:

program an AUTHORITY-CHECK.

AUTHORITY-CHECK OBJECT <authorization object>

ID <authority field 1> FIELD <field value 1>.

ID <authority field 2> FIELD <field value 2>.

...

ID <authority-field n> FIELD <field value n>.

The OBJECT parameter specifies the authorization object.

The ID parameter specifies an authorization field (in the authorization object).

The FIELD parameter specifies a value for the authorization field.

The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.

-


go through report

-


TABLES: TOBJT.

DATA: OBJECT1 LIKE USR12-OBJCT,

OBJECT2 LIKE USR12-OBJCT,

OBJECT3 LIKE USR12-OBJCT,

AUTH1 LIKE USR12-AUTH,

AUTH2 LIKE USR12-AUTH,

AUTH3 LIKE USR12-AUTH,

IND LIKE SY-INDEX,

FLAG TYPE I.

DATA: BEGIN OF INTTAB OCCURS 30,

OBJECT LIKE USR12-OBJCT,

AUTH LIKE USR12-AUTH,

END OF INTTAB.

DATA: BEGIN OF INTTAB2 OCCURS 30,

OBJECT LIKE USR12-OBJCT,

AUTH LIKE USR12-AUTH,

EXPL LIKE TOBJT-TTEXT,

END OF INTTAB2.

DATA: BEGIN OF TABSET OCCURS 30,

SFIELD LIKE TOBJ-FIEL1,

VON(18),

BIS(18),

END OF TABSET.

*read up the authorizations from the user buffer

CALL 'ANALYSE_USERBUFFER'

ID 'AUTHS' FIELD INTTAB-SYS.

*filter out the multipy authorizatios of the same object

SORT INTTAB BY OBJECT.

DO.

IF SY-INDEX = 1.

OBJECT1 = ''. AUTH1 = ''.

READ TABLE INTTAB INDEX 1.

OBJECT2 = INTTAB-OBJECT .AUTH2 = INTTAB-AUTH.

READ TABLE INTTAB INDEX 2.

OBJECT3 = INTTAB-OBJECT.AUTH3 = INTTAB-AUTH.

ELSE.

OBJECT1 = OBJECT2. AUTH1 = AUTH2.

READ TABLE INTTAB INDEX SY-INDEX.

OBJECT2 = INTTAB-OBJECT .AUTH2 = INTTAB-AUTH.

IND = SY-INDEX + 1.

READ TABLE INTTAB INDEX IND.

IF SY-SUBRC = 0.

OBJECT3 = INTTAB-OBJECT.AUTH3 = INTTAB-AUTH.

ELSE.

OBJECT3 = ''. AUTH3 = ''.

IF OBJECT2 = OBJECT1 OR OBJECT2 = OBJECT3.

INTTAB2-OBJECT = OBJECT2.

INTTAB2-AUTH = AUTH2.

SELECT SINGLE * FROM TOBJT

WHERE LANGU = SY-LANGU

AND OBJECT = OBJECT2.

INTTAB2-EXPL = TOBJT-TTEXT.

ENDIF.

EXIT.

ENDIF.

ENDIF.

IF OBJECT2 = OBJECT1 OR OBJECT2 = OBJECT3.

INTTAB2-OBJECT = OBJECT2.

INTTAB2-AUTH = AUTH2.

SELECT SINGLE * FROM TOBJT

WHERE LANGU = SY-LANGU

AND OBJECT = OBJECT2.

INTTAB2-EXPL = TOBJT-TTEXT.

APPEND INTTAB2.

ENDIF.

ENDDO.

SORT INTTAB2 BY OBJECT AUTH.

*display the authorization and description, the objects, fields and

*field values

FLAG = 0. OBJECT1 = ''.

LOOP AT INTTAB2.

IF OBJECT1 = INTTAB2-OBJECT.

WRITE: / INTTAB2-AUTH COLOR 2.

PERFORM FIELD_VALUES.

LOOP AT TABSET.

WRITE: / TABSET-SFIELD, TABSET-VON, TABSET-BIS.

ENDLOOP.

ELSE.

SKIP.

WRITE: / INTTAB2-OBJECT COLOR 3, INTTAB2-EXPL COLOR 3.

PERFORM FIELD_VALUES.

WRITE: / INTTAB2-AUTH COLOR 2.

LOOP AT TABSET.

WRITE: / TABSET-SFIELD, TABSET-VON, TABSET-BIS.

ENDLOOP.

ENDIF.

OBJECT1 = INTTAB2-OBJECT.

ENDLOOP.

----


  • FORM FIELD_VALUES *

----


  • retrieve the field values of an authorization *

----


FORM FIELD_VALUES.

TABLES: USR12.

FIELD-SYMBOLS .

DATA: INTFLAG TYPE I VALUE 0, OFF TYPE I, VTYP, LNG TYPE I,

CLNG(2), GLNG(2), FLDLNG TYPE I VALUE 10, SETFILL.

SELECT SINGLE * FROM USR12

WHERE AUTH = INTTAB2-AUTH

AND OBJCT = INTTAB2-OBJECT

AND AKTPS = 'A'.

SETFILL = 0.

REFRESH TABSET.

CLEAR TABSET.

OFF = 2.

ASSIGN USR12-VALS+OFF(1) TO .

WRITE TO VTYP.

WHILE VTYP <> ' ' AND OFF < USR12-LNG.

OFF = OFF + 1.

CASE VTYP.

WHEN 'F'.

OFF = OFF + 5.

ASSIGN USR12-VALS+OFF(2) TO .

WRITE TO CLNG.

LNG = CLNG.

IF LNG <= 0.

EXIT.

ENDIF.

OFF = OFF + 2.

ASSIGN USR12-VALS+OFF(FLDLNG) TO .

WRITE TO TABSET-SFIELD.

OFF = OFF + FLDLNG.

WHEN 'E'.

ASSIGN USR12-VALS+OFF(LNG) TO .

WRITE TO TABSET-VON.

IF TABSET-VON = SPACE.

TABSET-VON = ''' '''.

ENDIF.

APPEND TABSET.

SETFILL = SETFILL + 1.

TABSET-VON = SPACE.

TABSET-BIS = SPACE.

OFF = OFF + LNG.

WHEN 'G'.

ASSIGN USR12-VALS+OFF(2) TO .

WRITE TO CLNG.

GLNG = CLNG.

OFF = OFF + 2.

ASSIGN USR12-VALS+OFF(LNG) TO .

IF INTFLAG = 0.

WRITE TO TABSET-VON.

WRITE '*' TO TABSET-VON+GLNG.

ELSE.

WRITE TO TABSET-BIS.

WRITE '*' TO TABSET-BIS+GLNG.

INTFLAG = 0.

ENDIF.

APPEND TABSET.

SETFILL = SETFILL + 1.

TABSET-VON = SPACE.

TABSET-BIS = SPACE.

OFF = OFF + LNG.

WHEN 'V'.

INTFLAG = 1.

ASSIGN USR12-VALS+OFF(LNG) TO .

WRITE TO TABSET-VON.

IF TABSET-VON = SPACE.

TABSET-VON = ''' '''.

ENDIF.

OFF = OFF + LNG.

WHEN 'B'.

INTFLAG = 0.

ASSIGN USR12-VALS+OFF(LNG) TO .

WRITE TO TABSET-BIS.

IF TABSET-BIS = SPACE.

TABSET-BIS = ''' '''.

ENDIF.

APPEND TABSET.

SETFILL = SETFILL + 1.

TABSET-VON = SPACE.

TABSET-BIS = SPACE.

OFF = OFF + LNG.

ENDCASE.

ASSIGN USR12-VALS+OFF(1) TO .

WRITE TO VTYP.

ENDWHILE.

ENDFORM.

-


go through this link

http://www.thespot4sap.com/Articles/SAP_ABAP_Queries_Authorizations.asp

also go through this Document

AUTHORITY-CHECK OBJECT object

ID name1 FIELD f1

ID name2 FIELD f2

...

ID name10 FIELD f10.

Effect

Explanation of IDs:

object Field which contains the name of the object for which the authorization is to be checked.

name1 ... Fields which contain the names of the name10 authorization fields defined in the object.

f1 ... Fields which contain the values for which the f10 authorization is to be checked.

AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).

You must specify all authorizations for an object and a also a value for each ID (or DUMMY ).

The system checks the values for the ID s by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.

If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.

If the return code SY-SUBRC = 0, the user has the required authorization and may continue.

The return code is modified to suit the different error scenarios. The return code values have the following meaning:

4 User has no authorization in the SAP System for such an action. If necessary, change the user master record.

8 Too many parameters (fields, values). Maximum allowed is 10.

12 Specified object not maintained in the user master record.

16 No profile entered in the user master record.

24 The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.

28 Incorrect structure for user master record.

32 Incorrect structure for user master record.

36 Incorrect structure for user master record.

If the return code value is 8 or possibly 24, inform the person responsible for the program. If the return code value is 4, 12, 15 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP, since authorizations have probably been destroyed.

Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.

Note

Instead of ID name FIELD f , you can also write ID name DUMMY . This means that no check is performed for the field concerned.

The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.

Example

Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:

Table OBJ : Definition of authorization object

M_EINF_WRK

ACTVT

WERKS

Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations

M_EINF_WRK_BERECH1

ACTVT 01-03

WERKS 0001-0003 .

can display and change plants within the Purchasing and Materials Management areas.

Such a user would thus pass the checks

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' FIELD '0002'

ID 'ACTVT' FIELD '02'.

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' DUMMY

ID 'ACTVT' FIELD '01':

but would fail the check

AUTHORITY-CHECK OBJECT 'M_EINF_WRK'

ID 'WERKS' FIELD '0005'

ID 'ACTVT' FIELD '04'.

Thanks & Regards

Sreenivasulu P

Former Member
0 Kudos

U need to Create an authorization object from Transaction SU21.

Ther you can give the authorirization fields.

Now in ur report just call that authority object:

say if u had created an auhorizatin object as V_VBAK_VBO

then u have to use it like this.

Sample code for the same:

*Check the authority of the user

authority-check object 'V_VBAK_VKO'

id 'VKORG' field it_salesorg-vkorg

id 'VTWEG' dummy "FIELD '*'

id 'SPART' dummy "FIELD '*'

id 'ACTVT' dummy.

*If the user is not authorised

if sy-subrc <> 0.

    • Give the error message.

endif.