Solved: BI Analysis authorization concept to ECC transacti...

Former Member · ‎08-25-2010

Hi,

Can we implement BI Analysis authorization concept into ECC.?

Analysis authorization is carried out by transaction RSECADMIN in BI, this authorization cocept works on inforpviders.

Can we implement same auto generation of profile for create,modify,change transasctions in ECC.?

Multiple profiles assign to multiple users with same role but different values for each user dynamically..

Let me know if any one have any idea on this.

Regards,

Kalpesh

Former Member · ‎08-25-2010

No, you cannot use variables in user authorizations at runtime of authority-checks.

Slightly similar would be parametere ID's, user personalization keys, validations, check-tables, hardcoding, etc... but you have to maintain all of that which is not fun.

Rather build goog quality roles.

Cheers,

Julius

Former Member · ‎08-25-2010

No, you cannot use variables in user authorizations at runtime of authority-checks.

Slightly similar would be parametere ID's, user personalization keys, validations, check-tables, hardcoding, etc... but you have to maintain all of that which is not fun.

Rather build goog quality roles.

Cheers,

Julius

Former Member · ‎08-25-2010

Thanks for your reply.

I created a program to create role as per template role and updated that to SAP user id with newly created profile.

I used below function modules for same.

PRGN_RFC_CREATE_ACTIVITY_GROUP - to create role

BAPI_USER_ACTGROUPS_ASSIGN - to assign profile

As per my analysis we can create one profile for one role which will contain authorized values

But requirement is to keep one role with dynamic assignment of values which I dont ´think possible..

I tried below approach. Let me know if SAP recommends this for authorization concept instead of going through PFCG.

1.create new authorization for a authorization object and maintain values here. via transaction SU03

2.create new profile via transaction SU02 with above created authorization,

3.then assign this profile to user id.

Above approach will not create any role . But I am not sure whether this is recommended.

I tried to search any function modules to create profile without role but didnt find anything.

Kindly let me know if any one have any idea.

Regards,

Kalpesh

Former Member · ‎08-25-2010

You will still need to assign the manual profile to the user. That is not a best practice and is very far away from "dynamic"...

Cheers,

Julius

Former Member · ‎08-25-2010

Thanks Julius,

Let me know if you have any idea regarding any BAPIs or function modules which will help me to create authorization or to create profile with only authorization and no roll

regards,

Kalpesh

Former Member · ‎08-25-2010

Hi,

You will need to modify the code for every transaction (or group of functions) that you want to give access to in this way. It is a massive piece of work that requires the use of exits / enhancement points and significant modification to standard SAP code.

I have been there and done that for 1 module in SAP for a medium sized customer. The costs significantly outweigh the benefits and it is not something I would ever recommend again as there are more effective and cheaper ways of achieving and maintaining authorisation controls.

Former Member · ‎08-25-2010

Thanks..

even I am not recommending this to client. But just getting some expert opinion from sdn..

regards,

Kalpesh

Former Member · ‎08-25-2010

There are no released API's to the ABAP authorizations maintenance. You cannot change the behaviour of the AUTHORITY-CHECK statement as you cannot access the coding behind it.

So... you would need to change all the programs to use a different construct than the (SAP owned) locations of the authority-checks.

As you can see from Alex's advise, you will need to take lots of camels and water with you on that journey because there are about 3 million programs in ECC...

Cheers,

Julius

Former Member · ‎08-31-2010

Hi,

BI authorization concept is not possible with R3 or ECC system. It is totally different approach.

Dynamic authorization is also not possible with coding. And suggested never try that.The research will be a waste of time.

We have created program to update user id with profile.This will create new authorization in authorization object and will add that to new Z profile.

following function modules can be used for this.

SUSR_AUTH_CREATE

SUSR_INTERFACE_PROF

SUSR_INTERFACE_USER

SUSR_USER_AUTH_FOR_OBJ_GET

SUSR_USER_PROFS_BUFFER_CLEAR

SUSR_USER_PROFS_REMOVE_ONE

SUSR_USER_PROFS_BUFFER_TO_DB

Following is the program to add new profile to SAP user id.

Following program read Z table data and create profile and add same to SAP user id.

report zbasisr_costcenter_auth.

constants : c_auth_obj(06) type c value 'K_CCA'.

data : it_zbas_costcenter type standard table of zbas_costcenter,

wa_zbas_costcenter type zbas_costcenter.

data: agrs like agr_texts occurs 0 with header line.

data: it_tcodes type standard table of ssm_tcodes,

wa_tcodes type ssm_tcodes,

it_hierarchy_nodes type standard table of smensapnew,

it_hierarchy_texts type standard table of smencust .

data : l_object type usr12-objct,

l_auth_name type usr12-auth,

l_auth_text type usr13-atext,

l_timezone(12) type c,

l_btyp type usr12-typ.

data: it_fieldvalues type standard table of user12,

wa_fieldvalues type user12.

data: it_usval type standard table of usval,

wa_usval type usval.

data : l_profile type usr10-profn,

l_ptext type usr11-ptext.

data: it_auths type standard table of usaut,

wa_auths type usaut.

data : it_prof_in type standard table of uspro,

it_prof_out type standard table of uspro.

data : l_user type usr04-bname.

types: begin of ty_usr10,

profn type usr10-profn,

end of ty_usr10.

data: it_usr10 type standard table of ty_usr10,

wa_usr10 type ty_usr10.

data:l_counter(9) type c,

i_counter(9) type i,

l_pac_count(9) type p.

data : it_values type standard table of usvalues,

wa_values type usvalues,

l_remove_profile type usr10-profn.

selection-screen skip 1.

selection-screen begin of block blk1 with frame.

parameters p_run as checkbox ."default 'X'.

selection-screen end of block blk1.

*-----START OF SELECTION -

start-of-selection.

*if test run is selected

if p_run is not initial.

perform f_role_create.

endif.

end-of-selection.

&----

*& Form f_role_create

&----

text

----

form f_role_create .

refresh it_zbas_costcenter.

select * from zbas_costcenter

into corresponding fields of table it_zbas_costcenter

where zto_updt = 'X'.

loop at it_zbas_costcenter into wa_zbas_costcenter.

clear:l_object,l_auth_text,l_btyp.

l_object = c_auth_obj. "'K_CCA'.

l_auth_text = 'Auto generated Authorization'.

l_btyp = 'X'.

refresh it_usr10.

select profn

from usr10

into corresponding fields of table it_usr10

where profn like 'ZAU%'.

sort it_usr10 descending by profn.

clear l_counter.

if it_usr10[] is initial.

l_counter = '0'.

else.

clear wa_usr10.

read table it_usr10 into wa_usr10 index 1.

if sy-subrc = 0.

l_counter = wa_usr10-profn+03(09).

l_counter = l_counter + 1.

endif.

clear l_pac_count.

l_pac_count = l_counter.

unpack l_pac_count to l_counter.

clear l_auth_name.

concatenate 'ZAU' l_counter into l_auth_name.

*add action type

clear wa_fieldvalues.

wa_fieldvalues-field = 'CO_ACTION'.

wa_fieldvalues-von = '0001'.

wa_fieldvalues-bis = '0008'.

append wa_fieldvalues to it_fieldvalues.

*add controlling area

clear wa_fieldvalues.

wa_fieldvalues-field = 'RESPAREA' .

wa_fieldvalues-von = wa_zbas_costcenter-zco_area."'*'.

wa_fieldvalues-bis = '*'.

append wa_fieldvalues to it_fieldvalues.

*add cost elements

clear wa_fieldvalues.

wa_fieldvalues-field = 'KSTAR'.

wa_fieldvalues-von = wa_zbas_costcenter-zkostl_from. "'600000' .

wa_fieldvalues-bis = wa_zbas_costcenter-zkostl_to. "'600010' .

append wa_fieldvalues to it_fieldvalues.

call function 'SUSR_AUTH_CREATE'

exporting

object_ = l_object

auth_name = l_auth_name

auth_text = l_auth_text

btyp = l_btyp

tables

fieldvalues = it_fieldvalues

exceptions

object_not_exist = 1

auth_already_exists = 2

fieldvalues_wrong_input = 3

others = 4.

if sy-subrc = 0." if authorization is added

commit work.

write 😕 'New Authorization',l_auth_name,' is added to K_CCA.'.

*create profile with same name as authorizaion name

clear:l_profile,l_ptext.

l_profile = l_auth_name.

l_ptext = 'Auto Generated Profile '.

.

*add action type

refresh it_usval.

clear wa_usval.

wa_usval-objct = c_auth_obj. "'K_CCA'.

wa_usval-auth = l_auth_name.

wa_usval-sfield = 'CO_ACTION'.

*wa_USVAL-LNG =

wa_usval-von = '0001'.

wa_usval-bis = '0008'.

append wa_usval to it_usval.

*add cost elements as per table

clear wa_usval.

wa_usval-objct = c_auth_obj. " 'K_CCA'.

wa_usval-auth = l_auth_name.

wa_usval-sfield = 'KSTAR'.

*wa_USVAL-LNG =

wa_usval-von = wa_zbas_costcenter-zkostl_from. "'600000'.

wa_usval-bis = wa_zbas_costcenter-zkostl_to. "'600010'.

append wa_usval to it_usval.

*add controlling area

clear wa_usval.

wa_usval-objct = c_auth_obj. "'K_CCA'.

wa_usval-auth = l_auth_name.

wa_usval-sfield = 'RESPAREA'.

*wa_USVAL-LNG =

wa_usval-von = wa_zbas_costcenter-zco_area."'*'

wa_usval-bis = '*'.

append wa_usval to it_usval.

refresh it_auths.

clear wa_auths.

wa_auths-objct = c_auth_obj. "'K_CCA'.

wa_auths-auth = l_auth_name.

wa_auths-atext = l_auth_text.

append wa_auths to it_auths.

refresh :it_prof_in,it_prof_out.

call function 'SUSR_INTERFACE_PROF'

exporting

profile = l_profile

ptext = l_ptext

ptype = ' '

action = '01'

no_check_in_create_mode = 'X'

NO_CHECK_IN_UPDATE_MODE = ' '

dialog = 'X'

IMPORTING
PSTATE =

tables

values = it_usval

auths = it_auths

prof_in = it_prof_in

prof_out = it_prof_out

AUTH_OUT =

exceptions

not_authorized_for_auth = 1

params_incomplete = 2

not_authorized_for_profile = 3

profile_exists = 4

auth_exists = 5

colective_profile = 6

bad_profile_name = 7

bad_auth_name = 8

profile_dont_exist = 9

authorization_overflow = 10

shorttext_missing = 11

others = 12

.

if sy-subrc = 0.

if profile created

commit work.

write 😕 'New Profile',l_profile,' is created.'.

clear l_user.

l_user = wa_zbas_costcenter-zuserid.

call function 'SUSR_INTERFACE_USER'

exporting

profile = l_profile

user = l_user

action = 'I'

exceptions

params_incomplete = 1

not_authorized_for_user = 2

not_authorized_for_profile = 3

profile_doesnt_exist = 4

user_doesnt_exist = 5

profile_already_in_user = 6

profile_wasnt_in_user = 7

user_locked = 8

bad_action = 9

others = 10.

if sy-subrc = 0.

*if profile is added to SAP user id

commit work.

write 😕 'New Profile',l_profile,' is added to user',l_user.

*set updation flag as blank and changed on date

update zbas_costcenter

set zto_updt = ''

zaedtm = sy-datum

where zuserid = wa_zbas_costcenter-zuserid

and zto_updt = 'X'.

*get authorization profiles w.r.t. auth object K_CCA

refresh it_values.

call function 'SUSR_USER_AUTH_FOR_OBJ_GET'

exporting

new_buffering = '3'

mandant = sy-mandt

user_name = l_user

sel_object = 'K_CCA'

tables

values = it_values

exceptions

user_name_not_exist = 1

not_authorized = 2

internal_error = 3

others = 4.

if sy-subrc = 0.

*delete profile record which is newly created from internal table

delete it_values where auth = l_profile.

*delete other profiles which are started with ZAU for this user

loop at it_values into wa_values where auth(03) = 'ZAU' .

l_remove_profile = wa_values-auth.

call function 'SUSR_USER_PROFS_BUFFER_CLEAR'.

call function 'SUSR_USER_PROFS_REMOVE_ONE'

exporting

user_name = l_user

profile = l_remove_profile

exceptions

user_name_not_exist = 1

others = 2.

if sy-subrc = 0.

commit work.

call function 'SUSR_USER_PROFS_BUFFER_TO_DB'

exceptions

others = 0.

endif.

clear wa_values.

endloop.

endif.

clear wa_zbas_costcenter.

endloop.

endform. " F_ROLE_CREATE

BI Analysis authorization concept to ECC transactions