Assign Authorization Using ABAP

former_member375795 · ‎03-26-2014

I create one zprogram2 , but user not having a authorization to use , but that program is not used by user directly , means that zprogram2 is call by another zprogram1 , So I need to give authorization in the zprogram1 to use zprogram2

Is it any function module to give authorization at run time .

Former Member · ‎03-26-2014

This message was moderated.

thanga_prakash · ‎03-26-2014

Hello Siva,

You would be having a transaction code assigned to program2. Do a authority check on that transaction before submitting program2 inside program1.

ex: program2 is assigned to transaction code TCODE2.

Inside program1 do like below.

AUTHORITY-CHECK OBJECT 'S_TCODE'

ID 'TCD' FIELD 'TCODE2'.

IF sy-subrc <> 0.

MESSAGE <No authority to transaction>

ENDIF.

SUBMIT program2.......

Regards,

TP

kmoore007 · ‎03-26-2014

You should run an authorization trace, or your Basis person should, as you execute the report and see what authorization objects are missing on his profile. You can also use t-code SU53 after he executes.

Former Member · ‎03-26-2014

Hi Alok,

You can't give a authorization to user while executing the program. What you can do is add a authorization check before the second program is executed/submitted from first one.

You can use AUTHORITY-CHECK OBJECT 'S_TCODE' to check the authorization for the Transaction of second program and also if there is anything specific security is used in second program (like plant/ legal entity) then that need to validated in first program before you/user submit second one.

To know why it is failing for any user you can check SU53 and ask your security team to provide that access/security object to that user. So that he gets the correct object in his role to execute that program.

Thanks.

former_member375795 · ‎03-27-2014

If i give permanent authorization to them there is no use of my program .

Please Tell me any function module through which i assign that authorization .

thanga_prakash · ‎03-27-2014

Hello Alok,

Did you check the above suggestion given by me.

Regards,

TP

former_member375795 · ‎03-27-2014

Yes

former_member375795 · ‎03-27-2014

This message was moderated.

nabheetscn · ‎03-27-2014

Alok What exactly you want to achieve

nabheetscn · ‎03-27-2014

it is not a proper way...It is big security risk...Imagine you gave some one auhtorization but due to some reason it was not removed back..Imagine because of a silly mistake wrong authorization was given

Nabheet

former_member375795 · ‎03-27-2014

SIR

After execution of statement reset the or delete the assign authorization if there is assign of authorization than there is way to remove the assign authorization also Sir

former_member375795 · ‎03-27-2014

Run time assign authorization .using function module .

matt · ‎03-27-2014

Simply repeating that mantra will get you nowhere. You need to explain the context.

Former Member · ‎03-27-2014

What you describe is the solution you have defined, and I'm getting the impression from the replies so far that is neither advisable or achievable.

I expect what Nabheet is looking to focus on is the requirements here, the situation that you are in that makes you think adding temporary authorisation at runtime is the solution.

In your original question you talk about zprogram2 and zprogram1, if you explained better what these programs do and why, all of these people who are trying to help you will be better placed to give you meaingful suggestions.

Regards,

Nick

former_member375795 · ‎03-27-2014

Dear Sir ,

I am having one program i.e zlogin after some other program are call on the basis according to there ID's but I am not able to give authorization to the other program which is called by zlogin if i give authorization to that program which is called by after zlogin then any one go to directly to that program so I am unable to control .

Scenario

zlogin 2 records .

id tcode

a1 mm01

a2 mm02

so i want to give authorization of mm01 after zlogin only , if they call directly mm01 then give error no authorization.

former_member187748 · ‎03-27-2014

Hi all,

i am little bit strucked because i am not getting that if a user id has no authorization at all for particular Tcode, can we assign it through any programs, means as we are restricting it at global level can we able to provide authorization for local level.

Hoping any fruitful information from experts..........

nabheetscn · ‎03-27-2014

Your requirement is you have a custom program in which you have an internal table with tcode and user id...now you want the user id to give dynamic authorization..? Who is executing this custom report?

Not clear

matt · ‎03-27-2014

It looks like he wants to be able to call MM01 (for example) from this program, but the user be unable to call MM01 directly. This is achievable by disallowing the transaction code "MM01" via roles, assigning all other material management create authorisations.

As far as I can see, this is an authorisation concept issue, not a programming issue.

matt · ‎03-27-2014

Assigning authorisations at runtime is possible, but extremely inadvisable unless you are guided by a security expert. It's also quite complicated to program.

To answer your question; there is no function module that allows you to assign authorisations at runtime.

If you explain exactly what you are trying to achieve and why, then it might be possible to help you.

kmoore007 · ‎03-27-2014

I agree with Matthew. This is an authorization issue, not a programming issue. You should work with your authorizations guy. The auditors will be happy you did.

matt · ‎03-27-2014

On that basis, I'll hand it over the the security space.

former_member375795 · ‎03-27-2014

Thank you sir ,

Please help me out in this problem .

Former Member · ‎03-27-2014

Create a transaction for prog1 (tcode1) and another for prog2 (tcode2). In prog1, you code a CALL TRANSACTION 'tcode2'. In prog2, you code IF sy-tcode <> 'tcode1'. EXIT.

-> You can only ever run prog2 from tcode1, and in that case don't need authorizations for tcode2.

No dynamic authorizations mechanism needed.

Cheers,

Julius

former_member375795 · ‎03-27-2014

Ok it is working but issue is that I have to download the some text file at that time it showing error

Former Member · ‎03-27-2014

If you want me to guess which error it is showing, then we can move this to the Test&Playground forum space for a few months?

Cheers,

Julius

former_member375795 · ‎03-27-2014

No sir ,

I error this like this showing running program by running user not having authorization .

Former Member · ‎03-27-2014

The problem is at line 68 of prog2, where it starts quoting Shakespeare from the scene in Macbeth where the crows are flying around the castle. The syntax should be clockwise.

I am sure it will work. Please revert back if in doubt and reconsider the option of moving this thread on in the journey to it's final destination...

Cheers,

Julius