on 05-01-2006 6:28 PM - last edited on 02-04-2024 6:14 AM by postmig_api_4
We have one discussion going on !! I just want a suggestion about that . We are using Open data set logic to open the file for read and write , Now we have different companies and we want that file should be saved on the basis of company code in that person area. Which represent a folder on application server in AL11? Can you guys suggest me how we can deal with this matter?
I mean employee # 123 run report or interface ( from ABC company )
On the selection screen ( it says /USR/ABC/interface/save/
I mean employee # 3 run report or interface ( from DUMMY company )
On the selection screen ( it says /USR/DUMMY/interface/save/
<b>Note : it wont allowed them to save the file which is not belong to their company area, and authorization should be strict .</b>
Cheers
usman
If you derive the filepath anyway depending on the company code,then, the best way seems to be creating an authorization object for company code, and do an authority check of the user based on that object at the first place in the program.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Well as far as person area .. company code is concern . SAP standard authorization objects control them . you dont need to do it . The object is P_ORGIN , which has these values. But you dont need to worry about that . I am 100 % sure , Your security group already implement that . If that specific user has the roles , he can access the company code and personal areas ..
FYI: you can also see its values in Table AGR_1251 against roles and user.
In addition, AL11 use the auth object S_ADMI_FCD
and See the Fm in AL11 program ( RSWATCH0 )
auth_check_filename = path_name.
call function 'AUTHORITY_CHECK_DATASET'
exporting
PROGRAM =
activity = 'READ'
filename = auth_check_filename
exceptions
no_authority = 1
activity_unknown = 2
others = 3.
if sy-subrc = 1.
message id '00' type 'E' number '149'
with path_name.
In above Fm you`ll see differnt activity types like
hen sabc_act_read. l_actvt = '33'.
openmode = 'R'.
when sabc_act_write. l_actvt = '34'.
openmode = 'W'.
when sabc_act_read_with_filter. l_actvt = 'A6'.
openmode = 'R'.
when sabc_act_write_with_filter. l_actvt = 'A7'.
openmode = 'W'.
when sabc_act_delete. l_actvt = '06'.
openmode = 'D'.
with Auth check in place
<b> authority-check object 'S_DATASET'
id 'PROGRAM' field program
id 'ACTVT' field l_actvt
id 'FILENAME' field filename. </b>
<i><b>You can also define a role in which you put Auth object = S_DATASET and with Activity </b></i>
06 Delete
33 Read
34 Write
A6 Read with filter
A7 Write with filter
with object = S_DATASET
you can give filename = /usr/dumyy/inter* ( for one compnay code ( <b>just chage this value for every one</b> )
with object = S_DATASET
program = ZP* ( program name )
ref:<b> authority-check object 'S_DATASET'
id 'PROGRAM' field program
id 'ACTVT' field l_actvt
id 'FILENAME' field filename. </b>
Hope it`ll help you !!
Thanks
Saquib Khan
Message was edited by: Saquib Khan
Hi,
In this case, you will build the path of the file dynamically depending on the data.
However, regarding restricting the authorization, I am not sure if its possbile as it will be the same user id that will try to write the file for all the company codes.
Regards,
Ravi
Note : Please mark the helpful answers
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
There are several options.
1 - You can use logical file path and you can create them in <b>Tr.FILE</b> . You can define different path based on your company grouping . In your program ,based whos running the program you can assign the path using the logical file path name OR give radio button on selection screen and give the company grouping name
*ABC
*XYX
*Dummy
*real
And make the path /usr/<b>real</b>/interface.
As far as this specific person couldnt able to read and write on the same directory , assuming you are on UNIX or AIX . You can set the permission at OS level to the user . So that employee can only read/write to specific folder whos permission it has at OS level .
I definitely follow the above way to handle this..
2- you can create a Z table and give the path as well as the company code . So you can track the path based on employee running and you can also check the security .
but you need to build/maintain Z table in this case.
you can also run the security trace and see what security AL11 check at the background ,but I guess it only check the Tr.AL11 no the folders level permission as it comes into picture at OS level .
Hope thisll give you a good idea!!
Good luck!!
Saquib Khan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
80 | |
9 | |
9 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.