03-26-2014 5:06 PM
I create one zprogram2 , but user not having a authorization to use , but that program is not used by user directly , means that zprogram2 is call by another zprogram1 , So I need to give authorization in the zprogram1 to use zprogram2
Is it any function module to give authorization at run time .
03-26-2014 5:31 PM
03-26-2014 6:03 PM
Hello Siva,
You would be having a transaction code assigned to program2. Do a authority check on that transaction before submitting program2 inside program1.
ex: program2 is assigned to transaction code TCODE2.
Inside program1 do like below.
AUTHORITY-CHECK OBJECT 'S_TCODE'
ID 'TCD' FIELD 'TCODE2'.
IF sy-subrc <> 0.
MESSAGE <No authority to transaction>
ENDIF.
SUBMIT program2.......
Regards,
TP
03-26-2014 6:48 PM
You should run an authorization trace, or your Basis person should, as you execute the report and see what authorization objects are missing on his profile. You can also use t-code SU53 after he executes.
03-26-2014 7:27 PM
Hi Alok,
You can't give a authorization to user while executing the program. What you can do is add a authorization check before the second program is executed/submitted from first one.
You can use AUTHORITY-CHECK OBJECT 'S_TCODE' to check the authorization for the Transaction of second program and also if there is anything specific security is used in second program (like plant/ legal entity) then that need to validated in first program before you/user submit second one.
To know why it is failing for any user you can check SU53 and ask your security team to provide that access/security object to that user. So that he gets the correct object in his role to execute that program.
Thanks.
03-27-2014 6:08 AM
If i give permanent authorization to them there is no use of my program .
Please Tell me any function module through which i assign that authorization .
03-27-2014 6:27 AM
03-27-2014 8:21 AM
03-27-2014 8:22 AM
03-27-2014 8:26 AM
03-27-2014 8:29 AM
it is not a proper way...It is big security risk...Imagine you gave some one auhtorization but due to some reason it was not removed back..Imagine because of a silly mistake wrong authorization was given
Nabheet
03-27-2014 8:48 AM
SIR
After execution of statement reset the or delete the assign authorization if there is assign of authorization than there is way to remove the assign authorization also Sir
03-27-2014 9:51 AM
03-27-2014 9:54 AM
Simply repeating that mantra will get you nowhere. You need to explain the context.
03-27-2014 9:56 AM
What you describe is the solution you have defined, and I'm getting the impression from the replies so far that is neither advisable or achievable.
I expect what Nabheet is looking to focus on is the requirements here, the situation that you are in that makes you think adding temporary authorisation at runtime is the solution.
In your original question you talk about zprogram2 and zprogram1, if you explained better what these programs do and why, all of these people who are trying to help you will be better placed to give you meaingful suggestions.
Regards,
Nick
03-27-2014 10:06 AM
Dear Sir ,
I am having one program i.e zlogin after some other program are call on the basis according to there ID's but I am not able to give authorization to the other program which is called by zlogin if i give authorization to that program which is called by after zlogin then any one go to directly to that program so I am unable to control .
Scenario
zlogin 2 records .
id tcode
a1 mm01
a2 mm02
so i want to give authorization of mm01 after zlogin only , if they call directly mm01 then give error no authorization.
03-27-2014 10:19 AM
Hi all,
i am little bit strucked because i am not getting that if a user id has no authorization at all for particular Tcode, can we assign it through any programs, means as we are restricting it at global level can we able to provide authorization for local level.
Hoping any fruitful information from experts..........
03-27-2014 10:22 AM
Your requirement is you have a custom program in which you have an internal table with tcode and user id...now you want the user id to give dynamic authorization..? Who is executing this custom report?
Not clear
03-27-2014 10:38 AM
It looks like he wants to be able to call MM01 (for example) from this program, but the user be unable to call MM01 directly. This is achievable by disallowing the transaction code "MM01" via roles, assigning all other material management create authorisations.
As far as I can see, this is an authorisation concept issue, not a programming issue.
03-27-2014 9:54 AM
Assigning authorisations at runtime is possible, but extremely inadvisable unless you are guided by a security expert. It's also quite complicated to program.
To answer your question; there is no function module that allows you to assign authorisations at runtime.
If you explain exactly what you are trying to achieve and why, then it might be possible to help you.
03-27-2014 11:39 AM
I agree with Matthew. This is an authorization issue, not a programming issue. You should work with your authorizations guy. The auditors will be happy you did.
03-27-2014 12:11 PM
03-27-2014 12:20 PM
03-27-2014 12:30 PM
Create a transaction for prog1 (tcode1) and another for prog2 (tcode2). In prog1, you code a CALL TRANSACTION 'tcode2'. In prog2, you code IF sy-tcode <> 'tcode1'. EXIT.
-> You can only ever run prog2 from tcode1, and in that case don't need authorizations for tcode2.
No dynamic authorizations mechanism needed.
Cheers,
Julius
03-27-2014 7:32 PM
Ok it is working but issue is that I have to download the some text file at that time it showing error
03-27-2014 7:35 PM
If you want me to guess which error it is showing, then we can move this to the Test&Playground forum space for a few months?
Cheers,
Julius
03-27-2014 7:47 PM
No sir ,
I error this like this showing running program by running user not having authorization .
03-27-2014 8:52 PM
The problem is at line 68 of prog2, where it starts quoting Shakespeare from the scene in Macbeth where the crows are flying around the castle. The syntax should be clockwise.
I am sure it will work. Please revert back if in doubt and reconsider the option of moving this thread on in the journey to it's final destination...
Cheers,
Julius