cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Saving file on application server based on employee Area ,with all security

Go to solution
Former Member

on ‎05-01-2006 6:28 PM - last edited on ‎02-04-2024 6:14 AM by

0 Kudos

We have one discussion going on !! I just want a suggestion about that . We are using Open data set logic to open the file for read and write , Now we have different companies and we want that file should be saved on the basis of company code in that person area. Which represent a folder on application server in AL11? Can you guys suggest me how we can deal with this matter?

I mean employee # 123 run report or interface ( from ABC company )

On the selection screen ( it says /USR/ABC/interface/save/

I mean employee # 3 run report or interface ( from DUMMY company )

On the selection screen ( it says /USR/DUMMY/interface/save/

<b>Note : it wont allowed them to save the file which is not belong to their company area, and authorization should be strict .</b>

Cheers

usman

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-01-2006 6:42 PM
0 Kudos

If you derive the filepath anyway depending on the company code,then, the best way seems to be creating an authorization object for company code, and do an authority check of the user based on that object at the first place in the program.

Show replies
Show replies
former_member181966
Active Contributor
‎05-01-2006 7:29 PM
0 Kudos

Well as far as person area .. company code is concern . SAP standard authorization objects control them . you don’t need to do it . The object is P_ORGIN , which has these values. But you don’t need to worry about that . I am 100 % sure , Your security group already implement that . If that specific user has the roles , he can access the company code and personal areas ..

FYI: you can also see its values in Table AGR_1251 against roles and user.

In addition, AL11 use the auth object S_ADMI_FCD

and See the Fm in AL11 program ( RSWATCH0 )

auth_check_filename = path_name.

call function 'AUTHORITY_CHECK_DATASET'

exporting

  • PROGRAM =

activity = 'READ'

filename = auth_check_filename

exceptions

no_authority = 1

activity_unknown = 2

others = 3.

if sy-subrc = 1.

message id '00' type 'E' number '149'

with path_name.

In above Fm you`ll see differnt activity types like

hen sabc_act_read. l_actvt = '33'.

openmode = 'R'.

when sabc_act_write. l_actvt = '34'.

openmode = 'W'.

when sabc_act_read_with_filter. l_actvt = 'A6'.

openmode = 'R'.

when sabc_act_write_with_filter. l_actvt = 'A7'.

openmode = 'W'.

when sabc_act_delete. l_actvt = '06'.

openmode = 'D'.

with Auth check in place

<b> authority-check object 'S_DATASET'

id 'PROGRAM' field program

id 'ACTVT' field l_actvt

id 'FILENAME' field filename. </b>

<i><b>You can also define a role in which you put Auth object = S_DATASET and with Activity </b></i>

06 Delete

33 Read

34 Write

A6 Read with filter

A7 Write with filter

with object = S_DATASET

you can give filename = /usr/dumyy/inter* ( for one compnay code ( <b>just chage this value for every one</b> )

with object = S_DATASET

program = ZP* ( program name )

ref:<b> authority-check object 'S_DATASET'

id 'PROGRAM' field program

id 'ACTVT' field l_actvt

id 'FILENAME' field filename. </b>

Hope it`ll help you !!

Thanks

Saquib Khan

Message was edited by: Saquib Khan

Former Member
‎05-01-2006 8:46 PM
0 Kudos

WOW!! That is good!

Thanks you guys ,I am unable too see the points for award .Is There problem wid system today ?

Former Member
‎05-01-2006 8:46 PM
0 Kudos

Thanks a lot Saquib

Cheers

Usman

former_member181966
Active Contributor
‎05-02-2006 3:15 PM
0 Kudos

Pl..award the points if it helps you ..

Thanks

SK

Answers (2)

Answers (2)

Former Member
‎05-01-2006 6:39 PM
0 Kudos

Hi,

In this case, you will build the path of the file dynamically depending on the data.

However, regarding restricting the authorization, I am not sure if its possbile as it will be the same user id that will try to write the file for all the company codes.

Regards,

Ravi

Note : Please mark the helpful answers

Show replies
Show replies
former_member181966
Active Contributor
‎05-01-2006 6:38 PM
0 Kudos

There are several options.

1 - You can use logical file path and you can create them in <b>Tr.FILE</b> . You can define different path based on your company grouping . In your program ,based who’s running the program you can assign the path using the logical file path name OR give radio button on selection screen and give the company grouping name

*ABC

*XYX

*Dummy

*real

And make the path /usr/<b>real</b>/interface.

As far as this specific person couldn’t able to read and write on the same directory , assuming you are on UNIX or AIX . You can set the permission at OS level to the user . So that employee can only read/write to specific folder who’s permission it has at OS level .

I definitely follow the above way to handle this..

2- you can create a Z table and give the path as well as the company code . So you can track the path based on employee running and you can also check the security .

but you need to build/maintain Z table in this case.

you can also run the security trace and see what security AL11 check at the background ,but I guess it only check the Tr.AL11 no the folders level permission as it comes into picture at OS level .

Hope this’ll give you a good idea!!

Good luck!!

Saquib Khan

Show replies
Show replies
Ask a Question