Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

issue with authority check

Former Member
0 Kudos

Hi,

i have created an object class using su21,

then by double clickingit i have created an auth object,with auth field actvt and werks and permitted values as all.

then i went to pfcg, i created a role and then a profile,then i clicked change auth data -then i selected do not select templates and then i added manually my auth object , i have given a plant and actvt as full auth

and generated a profile and then in the user tab i gave my userid, and i comapree it

everything looks in green

now i called the authcheck in my as

AUTHORITY-CHECK OBJECT 'ZFT'

ID 'ACTVT' FIELD '02'

ID 'WERKS' FIELD 'ABC'.

if sy-subrc eq 0.

write : SY-UNAME , 'Suceess ZFT'.

else.

write:/ SY-UNAME , 'Fail ZFT'.

endif.

Q1) DOES IT CHECK WITH SY-UNAME

I HAVE AUTH TO ME WHEN I RUN THE PRGM UNDER MY LOGIN I GET SUCESS (SY-SUBRC EQ 0)

Q2)WHEN I RUN THE SAME UNDER A DIFFERENT LOGIN THE O/P IS FAIL ZFT

SO FAR ITS WORKING FINE BUT FOR THIS CONDITION I AM GETTING A SY-SUBRC OF 12 WHICH SHOULD BE 4 AS PER THE HELP DOCUMENT

· 0: The user has an authorization for all specified values.

· 4: The user does not have the authorization.

· 8: The number of specified fields is incorrect.

· 12: The specified authorization object does not exist.

DO LET ME KNOW IF IAM MISSING ANYTHING.

Q3) INSTEAD OF THIS CAN I USE S_PROGRAM. LET ME KNOW WHAT EXACTLY IT DOES.

THANKS

1 ACCEPTED SOLUTION

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

"The specified authorization object does not exist <i>(in the user master record)</i>"

should be read as:

"No authorization data for the specified authorization object has been <b>assigned to this user</b>"

Well, in general it is not worth to differentiate between the various non-zero return codes of an AUTHORITY-CHECK statement. Every non-zero value of SY-SUBRC indicates a failure, only SY-SUBRC = 0 indicates: "user has the requested authorization".

Regards, Wolfgang

4 REPLIES 4

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

"The specified authorization object does not exist <i>(in the user master record)</i>"

should be read as:

"No authorization data for the specified authorization object has been <b>assigned to this user</b>"

Well, in general it is not worth to differentiate between the various non-zero return codes of an AUTHORITY-CHECK statement. Every non-zero value of SY-SUBRC indicates a failure, only SY-SUBRC = 0 indicates: "user has the requested authorization".

Regards, Wolfgang

0 Kudos

Hi wolfgang,

thanks for the reply.

i have few more questions.It would be great if you could answer this questions.

q1)i have a report which should be restriced based on the authorization to the user for a particular plant, i guess the there should be an standard auth object provided by sap which would restrict access to particular plant. if there is one pls do let me know.

q2)since i didn't found one i have create one with auth fields actvt and werks and user

if i want to give the auth a particular user ,wat are the necessary steps i have to do.

i am confused while creating profiles , i have the user field do i need to give names of all the user for whom i need to provide access or do i need name in user tab .

i mean i have to provide than user name in authorization or user or i have to go to su01 and add to roles of each and every user.

Thanks

kajol

while creating profile

0 Kudos

Hi Kajol,

a1) I'm sorry - I can tell you something about the technology aspects but I'm afraid that I cannot tell you the name of the appropriete authorization object. The best approach in that case is: choose an existing SAP standard application where you are sure that such an authorization object will be checked, activate the trace (ST01) and evaluate the recorded trace afterwards to find the appropriete authorization object.

a2) Creating a new authorization object should be avoided - <b>it's worth spending some effort in searching for existing auth. objects</b>. Otherwise you need to create proper roles (containing your new auth. object) - or enhance existing roles (for those applications / transactions where your new auth. object is now checked).

Well, if you create a new role, you have to assign it to users - not to "each and every user" but selectively only to those which are supposed to possess it.

0 Kudos

I am not logged on, but I think M_MSEG_WRK is the one you want. (you are using actvt 02 (change), so it implies that the document already exists).

You might also want to consider getting the plant number from this already existing document (when you select it either as global data or more usefull could be a static for this plant specific program) and making the authority check against the value found in the document. It is not clear what 'ABC' is.

Cheers,

Julius