Solved: Authorization Error while executing a program

Former Member · ‎04-29-2011

Hi All,

I have developed a program which calls VF02 transaction in background. But while executing it, the program fails with message'No authorization for sales organization XXXX'.

The users who are executing the program does not have access to VF02 and for security reasons the access can not be given to the users.

So my question is whether this error is due to no access to 'VF02' or with the sales organization?

Can we give access to the users according to sales organization rather than giving authorization for VF02 ?

If not then whats the solution to rectify this error without giving VF02 access to users?

Please help.

Thanks,

Sanujit Acharya

Former Member · ‎05-02-2011

Hi Sanujit,

You can also ask user to execute SU53 to perform autorization check immediately after executing your program. This should give you missing object/value.

Hope this will help.

Regards,

Pinkle

Former Member · ‎04-29-2011

Hi

The issue is with the sales org. You can work with your security administrator to get a bit more info about this. You can check the code in VA02 to see what the auth checks are in the parent transaction. Alternatively your sec admin can run a trace on this to see what exactly is being used as SAP responds to your modified use of VA02.

Former Member · ‎05-02-2011

Hi Sanujit,

You can also ask user to execute SU53 to perform autorization check immediately after executing your program. This should give you missing object/value.

Hope this will help.

Regards,

Pinkle

Former Member · ‎05-04-2011

The XXXX value of Sales Org is required in Auth objects V_KONH_VKO or V_VBRK_VKO from a suitable role.. Security team should be able to update it accordingly as per the existing policies if these objects are made available via other involved tcodes.

~Sri

Former Member · ‎05-09-2011

I think there is a flaw behind the coding and the intended usage of the program. Irrespective of the program having a call transaction statement for VF02 (or) you give authorization to the user via an other role on V_VBRK_VKO, the user is changing the billing document in a particular sales organization - so the sercurity restrcition on the user Not to have this access is already compromised, isnt it?

the best solution for this, would be to discuss with the people from business on the purpose and usage of the program and then analyse the risks - that should give a better idea to judge if changing the program makes sense or adding authorizations to users

Former Member · ‎05-09-2011

Hi,

You are running VF02 transaction indirectly. So user need access of all the the objects those are required to run the transaction: VF02.

To solve this, contact with the S&A team. Through ST01 trace analysis, what are the object required for successful run of the job, can be be found out.

If you running the VF02 transaction indirectly through the program, assignment of the VF02 transaction should not be required.

Regards,

Sandip

Former Member · ‎05-24-2011

Hi,

if your custom program is calling transaction VF02 , then id which is executing this program should have access to transaction VF02.

How ever if user executing program have access to VF02 for a particular sales organization then also program will run successfully.

Hope this helps..

let me know if any more information is required

Thanks,

Sandeep

Former Member · ‎05-24-2011

Hi

To answer last part of your questions

Can we give access to the users according to sales organization rather than giving authorization for VF02 ?

If not then whats the solution to rectify this error without giving VF02 access to users?

Users must have access to VF02 but you can create Separate Dialog ID's having access to respective sales organization only.

i.e, restrict access upon sales organization..

Thanks,

Sandeep

Former Member · ‎05-24-2011

Hi Sandeep

Users must have access to VF02 but you can create Separate Dialog ID's having access to respective sales organization only.
 i.e, restrict access upon sales organization..

Please could you explain the 'Separate Dialog ID's' comment? I'm guessing this means segregation of duties work?

I've tried investigating these 'called' transactions (SAP standard only) and also the custom code call standard and the called may/may not need to be accessible directly depending on the resultant access via the call and also the pixie dust hidden within the ABAP...

A delivered GRC RAR ruleset (if available) will also need to be tweaked and updated accordingly - not as simple as it may seem when everybody gets involved

Cheers

David

Edited by: David Berry on May 24, 2011 10:57 PM

Former Member · ‎05-28-2011

Hi David,

Idea is to resrtrict access based on sales organization, this can be done by

creating derived roles in which access is restricred at ORG levels for different sales organization.

once access is resricted we can create differnt users and assign this access to them.

Let me know if any further information is required

Thanks

Sandeep

Former Member · ‎05-28-2011

Hi Sandeep

The OP's question appears to be 'If I give a custom transaction to a user it seems to then call an object unexpectedly that has a sales organisation value because I'm using it to call VF02".

Due to SU24 not being updated for the custom transaction I'm guessing.

A trace would probably assist when working with the functional team to decide what is really needed but I'm a little lost as to what is being asked of either the OP or the security/ABAP teams as this is pretty basic stuff...

@Sanujit

I have developed a program which calls VF02 transaction in background. But while executing it

Have you had this program associated with a custom transaction yet?

Regards

David

Edited by: David Berry on May 28, 2011 5:41 PM (got my sales orders mixed up)

Edited by: David Berry on May 28, 2011 5:47 PM

Former Member · ‎08-29-2011

Thanks to everybody for your help.

I had a discussion with the BASIS team and the corresponding auth. was given to user.

Thanks again.

Sanujit Acharya