08-25-2010 10:16 AM
Hi,
Can we implement BI Analysis authorization concept into ECC.?
Analysis authorization is carried out by transaction RSECADMIN in BI, this authorization cocept works on inforpviders.
Can we implement same auto generation of profile for create,modify,change transasctions in ECC.?
Multiple profiles assign to multiple users with same role but different values for each user dynamically..
Let me know if any one have any idea on this.
Regards,
Kalpesh
08-25-2010 10:46 AM
No, you cannot use variables in user authorizations at runtime of authority-checks.
Slightly similar would be parametere ID's, user personalization keys, validations, check-tables, hardcoding, etc... but you have to maintain all of that which is not fun.
Rather build goog quality roles.
Cheers,
Julius
08-25-2010 10:46 AM
No, you cannot use variables in user authorizations at runtime of authority-checks.
Slightly similar would be parametere ID's, user personalization keys, validations, check-tables, hardcoding, etc... but you have to maintain all of that which is not fun.
Rather build goog quality roles.
Cheers,
Julius
08-25-2010 11:21 AM
Thanks for your reply.
I created a program to create role as per template role and updated that to SAP user id with newly created profile.
I used below function modules for same.
PRGN_RFC_CREATE_ACTIVITY_GROUP - to create role
BAPI_USER_ACTGROUPS_ASSIGN - to assign profile
As per my analysis we can create one profile for one role which will contain authorized values
But requirement is to keep one role with dynamic assignment of values which I dont ´think possible..
I tried below approach. Let me know if SAP recommends this for authorization concept instead of going through PFCG.
1.create new authorization for a authorization object and maintain values here. via transaction SU03
2.create new profile via transaction SU02 with above created authorization,
3.then assign this profile to user id.
Above approach will not create any role . But I am not sure whether this is recommended.
I tried to search any function modules to create profile without role but didnt find anything.
Kindly let me know if any one have any idea.
Regards,
Kalpesh
08-25-2010 11:52 AM
You will still need to assign the manual profile to the user. That is not a best practice and is very far away from "dynamic"...
Cheers,
Julius
08-25-2010 12:22 PM
Thanks Julius,
Let me know if you have any idea regarding any BAPIs or function modules which will help me to create authorization or to create profile with only authorization and no roll
regards,
Kalpesh
08-25-2010 1:23 PM
Hi,
You will need to modify the code for every transaction (or group of functions) that you want to give access to in this way. It is a massive piece of work that requires the use of exits / enhancement points and significant modification to standard SAP code.
I have been there and done that for 1 module in SAP for a medium sized customer. The costs significantly outweigh the benefits and it is not something I would ever recommend again as there are more effective and cheaper ways of achieving and maintaining authorisation controls.
08-25-2010 1:26 PM
Thanks..
even I am not recommending this to client. But just getting some expert opinion from sdn..
regards,
Kalpesh
08-25-2010 1:27 PM
There are no released API's to the ABAP authorizations maintenance. You cannot change the behaviour of the AUTHORITY-CHECK statement as you cannot access the coding behind it.
So... you would need to change all the programs to use a different construct than the (SAP owned) locations of the authority-checks.
As you can see from Alex's advise, you will need to take lots of camels and water with you on that journey because there are about 3 million programs in ECC...
Cheers,
Julius
08-31-2010 9:15 AM
Hi,
BI authorization concept is not possible with R3 or ECC system. It is totally different approach.
Dynamic authorization is also not possible with coding. And suggested never try that.The research will be a waste of time.
We have created program to update user id with profile.This will create new authorization in authorization object and will add that to new Z profile.
following function modules can be used for this.
SUSR_AUTH_CREATE
SUSR_INTERFACE_PROF
SUSR_INTERFACE_USER
SUSR_USER_AUTH_FOR_OBJ_GET
SUSR_USER_PROFS_BUFFER_CLEAR
SUSR_USER_PROFS_REMOVE_ONE
SUSR_USER_PROFS_BUFFER_TO_DB
Following is the program to add new profile to SAP user id.
Following program read Z table data and create profile and add same to SAP user id.
report zbasisr_costcenter_auth.
constants : c_auth_obj(06) type c value 'K_CCA'.
data : it_zbas_costcenter type standard table of zbas_costcenter,
wa_zbas_costcenter type zbas_costcenter.
data: agrs like agr_texts occurs 0 with header line.
data: it_tcodes type standard table of ssm_tcodes,
wa_tcodes type ssm_tcodes,
it_hierarchy_nodes type standard table of smensapnew,
it_hierarchy_texts type standard table of smencust .
data : l_object type usr12-objct,
l_auth_name type usr12-auth,
l_auth_text type usr13-atext,
l_timezone(12) type c,
l_btyp type usr12-typ.
data: it_fieldvalues type standard table of user12,
wa_fieldvalues type user12.
data: it_usval type standard table of usval,
wa_usval type usval.
data : l_profile type usr10-profn,
l_ptext type usr11-ptext.
data: it_auths type standard table of usaut,
wa_auths type usaut.
data : it_prof_in type standard table of uspro,
it_prof_out type standard table of uspro.
data : l_user type usr04-bname.
types: begin of ty_usr10,
profn type usr10-profn,
end of ty_usr10.
data: it_usr10 type standard table of ty_usr10,
wa_usr10 type ty_usr10.
data:l_counter(9) type c,
i_counter(9) type i,
l_pac_count(9) type p.
data : it_values type standard table of usvalues,
wa_values type usvalues,
l_remove_profile type usr10-profn.
selection-screen skip 1.
selection-screen begin of block blk1 with frame.
parameters p_run as checkbox ."default 'X'.
selection-screen end of block blk1.
*-----START OF SELECTION -
start-of-selection.
*if test run is selected
if p_run is not initial.
perform f_role_create.
endif.
end-of-selection.
&----
*& Form f_role_create
&----
text
----
form f_role_create .
refresh it_zbas_costcenter.
select * from zbas_costcenter
into corresponding fields of table it_zbas_costcenter
where zto_updt = 'X'.
loop at it_zbas_costcenter into wa_zbas_costcenter.
clear:l_object,l_auth_text,l_btyp.
l_object = c_auth_obj. "'K_CCA'.
l_auth_text = 'Auto generated Authorization'.
l_btyp = 'X'.
refresh it_usr10.
select profn
from usr10
into corresponding fields of table it_usr10
where profn like 'ZAU%'.
sort it_usr10 descending by profn.
clear l_counter.
if it_usr10[] is initial.
l_counter = '0'.
else.
clear wa_usr10.
read table it_usr10 into wa_usr10 index 1.
if sy-subrc = 0.
l_counter = wa_usr10-profn+03(09).
l_counter = l_counter + 1.
endif.
endif.
clear l_pac_count.
l_pac_count = l_counter.
unpack l_pac_count to l_counter.
clear l_auth_name.
concatenate 'ZAU' l_counter into l_auth_name.
*add action type
clear wa_fieldvalues.
wa_fieldvalues-field = 'CO_ACTION'.
wa_fieldvalues-von = '0001'.
wa_fieldvalues-bis = '0008'.
append wa_fieldvalues to it_fieldvalues.
*add controlling area
clear wa_fieldvalues.
wa_fieldvalues-field = 'RESPAREA' .
wa_fieldvalues-von = wa_zbas_costcenter-zco_area."'*'.
wa_fieldvalues-bis = '*'.
append wa_fieldvalues to it_fieldvalues.
*add cost elements
clear wa_fieldvalues.
wa_fieldvalues-field = 'KSTAR'.
wa_fieldvalues-von = wa_zbas_costcenter-zkostl_from. "'600000' .
wa_fieldvalues-bis = wa_zbas_costcenter-zkostl_to. "'600010' .
append wa_fieldvalues to it_fieldvalues.
call function 'SUSR_AUTH_CREATE'
exporting
object_ = l_object
auth_name = l_auth_name
auth_text = l_auth_text
btyp = l_btyp
tables
fieldvalues = it_fieldvalues
exceptions
object_not_exist = 1
auth_already_exists = 2
fieldvalues_wrong_input = 3
others = 4.
if sy-subrc = 0." if authorization is added
commit work.
write 😕 'New Authorization',l_auth_name,' is added to K_CCA.'.
*create profile with same name as authorizaion name
clear:l_profile,l_ptext.
l_profile = l_auth_name.
l_ptext = 'Auto Generated Profile '.
.
*add action type
refresh it_usval.
clear wa_usval.
wa_usval-objct = c_auth_obj. "'K_CCA'.
wa_usval-auth = l_auth_name.
wa_usval-sfield = 'CO_ACTION'.
*wa_USVAL-LNG =
wa_usval-von = '0001'.
wa_usval-bis = '0008'.
append wa_usval to it_usval.
*add cost elements as per table
clear wa_usval.
wa_usval-objct = c_auth_obj. " 'K_CCA'.
wa_usval-auth = l_auth_name.
wa_usval-sfield = 'KSTAR'.
*wa_USVAL-LNG =
wa_usval-von = wa_zbas_costcenter-zkostl_from. "'600000'.
wa_usval-bis = wa_zbas_costcenter-zkostl_to. "'600010'.
append wa_usval to it_usval.
*add controlling area
clear wa_usval.
wa_usval-objct = c_auth_obj. "'K_CCA'.
wa_usval-auth = l_auth_name.
wa_usval-sfield = 'RESPAREA'.
*wa_USVAL-LNG =
wa_usval-von = wa_zbas_costcenter-zco_area."'*'
wa_usval-bis = '*'.
append wa_usval to it_usval.
refresh it_auths.
clear wa_auths.
wa_auths-objct = c_auth_obj. "'K_CCA'.
wa_auths-auth = l_auth_name.
wa_auths-atext = l_auth_text.
append wa_auths to it_auths.
refresh :it_prof_in,it_prof_out.
call function 'SUSR_INTERFACE_PROF'
exporting
profile = l_profile
ptext = l_ptext
ptype = ' '
action = '01'
no_check_in_create_mode = 'X'
NO_CHECK_IN_UPDATE_MODE = ' '
dialog = 'X'
IMPORTING
PSTATE =
tables
values = it_usval
auths = it_auths
prof_in = it_prof_in
prof_out = it_prof_out
AUTH_OUT =
exceptions
not_authorized_for_auth = 1
params_incomplete = 2
not_authorized_for_profile = 3
profile_exists = 4
auth_exists = 5
colective_profile = 6
bad_profile_name = 7
bad_auth_name = 8
profile_dont_exist = 9
authorization_overflow = 10
shorttext_missing = 11
others = 12
.
if sy-subrc = 0.
if profile created
commit work.
write 😕 'New Profile',l_profile,' is created.'.
clear l_user.
l_user = wa_zbas_costcenter-zuserid.
call function 'SUSR_INTERFACE_USER'
exporting
profile = l_profile
user = l_user
action = 'I'
exceptions
params_incomplete = 1
not_authorized_for_user = 2
not_authorized_for_profile = 3
profile_doesnt_exist = 4
user_doesnt_exist = 5
profile_already_in_user = 6
profile_wasnt_in_user = 7
user_locked = 8
bad_action = 9
others = 10.
if sy-subrc = 0.
*if profile is added to SAP user id
commit work.
write 😕 'New Profile',l_profile,' is added to user',l_user.
*set updation flag as blank and changed on date
update zbas_costcenter
set zto_updt = ''
zaedtm = sy-datum
where zuserid = wa_zbas_costcenter-zuserid
and zto_updt = 'X'.
*get authorization profiles w.r.t. auth object K_CCA
refresh it_values.
call function 'SUSR_USER_AUTH_FOR_OBJ_GET'
exporting
new_buffering = '3'
mandant = sy-mandt
user_name = l_user
sel_object = 'K_CCA'
tables
values = it_values
exceptions
user_name_not_exist = 1
not_authorized = 2
internal_error = 3
others = 4.
if sy-subrc = 0.
*delete profile record which is newly created from internal table
delete it_values where auth = l_profile.
*delete other profiles which are started with ZAU for this user
loop at it_values into wa_values where auth(03) = 'ZAU' .
l_remove_profile = wa_values-auth.
call function 'SUSR_USER_PROFS_BUFFER_CLEAR'.
call function 'SUSR_USER_PROFS_REMOVE_ONE'
exporting
user_name = l_user
profile = l_remove_profile
exceptions
user_name_not_exist = 1
others = 2.
if sy-subrc = 0.
commit work.
call function 'SUSR_USER_PROFS_BUFFER_TO_DB'
exceptions
others = 0.
endif.
clear wa_values.
endloop.
endif.
endif.
endif.
endif.
clear wa_zbas_costcenter.
endloop.
endform. " F_ROLE_CREATE