Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

P_ABAP not skipping the authorization check

Go to solution
Former Member

‎04-04-2014 1:48 PM

0 Kudos

Hi All,

I would require your assistance on the following issue at earliest.

       

HR key users are executing the HR standard reports by using the t-code S_PH0_48000509 Adhoc query and also with t-code SQ01. when they executing the reports, system has been checking their authorizations while executing the report and this execution time of report taking longer and also throwing a ABAP DUMP.

   

Hence, I gone through some blogs and also sap help about the auth object P_ABAP, as stated in the help I have provide an access to the user
with option 2 under

P_ABAP (HR: Reporting) - Authorizations for Human Resources - SAP Library

HR InfoSets for InfoSet Query (SAP Library - InfoSet Query)

But system still checking the authorization against the user in both foreground and background for above t-codes. Please assist on the same

Thanking you,

Kotesh

1 ACCEPTED SOLUTION

Go to solution
JonathanM
Contributor

‎04-08-2014 1:30 PM

0 Kudos

Hi,

The P_ABAP object works with programs, in the transaction you mention, the program getting the final result is not the same as the one behing the transaction for the AdHoc query... The programs for the queries are generated because the user has to make selection for input and output.

So from there you cannot use this simplifcation object. But if the users starts already saved queries (and not infoset), then you could find and use that specific report.

I tried and traced myself:

AUTH        P_ABAP RC=0  REPID=!QZZ/SAPQUERY/H0MUYLAE08141045;COARS=2;type=TR;name=S_PH0_48000509;
AUTH        P_ABAP RC=0  REPID=SAPDBPNP;COARS=2;type=TR;name=S_PH0_48000509;

The name of the report is generated and always starts with something like AQZZ* or !QZZ*

But this is because they work from the Infoset.

If you start from the SQ01 and the queries:

AUTH        P_ABAP RC=0  REPID=AQZZ/SAPQUERY/H0CM_02========= ;COARS=2;type=TR;name=SQ01;
AUTH        P_ABAP RC=0  REPID=SAPDBPNP;COARS=2;type=TR;name=SQ01;

There the name of the query is fixed because the structure of the selection, the fileds  are already defined and fixed. You only choose the values to be processed.

The name is no more generic but always the same AQZZ/SAPQUERY/H0CM_02 for:

AQZZ  this is for a query from infoset /SAPQUERY/H0 on query CM_02

The second line on the trace, is very dangerous to use because this would skip all HR controls in PNP programs, meaning almost all HR programs... So I do not recommand that option.

Best regards,

Jonathan

2 REPLIES 2

Go to solution
JonathanM
Contributor

‎04-08-2014 1:30 PM

0 Kudos

Hi,

The P_ABAP object works with programs, in the transaction you mention, the program getting the final result is not the same as the one behing the transaction for the AdHoc query... The programs for the queries are generated because the user has to make selection for input and output.

So from there you cannot use this simplifcation object. But if the users starts already saved queries (and not infoset), then you could find and use that specific report.

I tried and traced myself:

AUTH        P_ABAP RC=0  REPID=!QZZ/SAPQUERY/H0MUYLAE08141045;COARS=2;type=TR;name=S_PH0_48000509;
AUTH        P_ABAP RC=0  REPID=SAPDBPNP;COARS=2;type=TR;name=S_PH0_48000509;

The name of the report is generated and always starts with something like AQZZ* or !QZZ*

But this is because they work from the Infoset.

If you start from the SQ01 and the queries:

AUTH        P_ABAP RC=0  REPID=AQZZ/SAPQUERY/H0CM_02========= ;COARS=2;type=TR;name=SQ01;
AUTH        P_ABAP RC=0  REPID=SAPDBPNP;COARS=2;type=TR;name=SQ01;

There the name of the query is fixed because the structure of the selection, the fileds  are already defined and fixed. You only choose the values to be processed.

The name is no more generic but always the same AQZZ/SAPQUERY/H0CM_02 for:

AQZZ  this is for a query from infoset /SAPQUERY/H0 on query CM_02

The second line on the trace, is very dangerous to use because this would skip all HR controls in PNP programs, meaning almost all HR programs... So I do not recommand that option.

Best regards,

Jonathan

Go to solution
Former Member
In response to JonathanM

‎04-08-2014 6:49 PM

0 Kudos

Hi Jonathan,

Thanks for replying to this message.

I agree with all your points and also I see the same results when I execute the different methods.

However, using the Adhoc query related t-code throwing a dump, due to its taking lot of time for giving an output to the user and few HR key users are wants to have a faster output method. this requirement is not possible with the AdHoc query related t-code.

Because this Adhoc query t-code doesn't have an option to execute the report in the background. this a appraisal review time and they have been evaluating the lot of employees data on the company\country level in the system.

As I see Adhoc reports related t-code doesn't meet their requirement. Hence, T-code SQ01 has an option to execute the report in 20 sec (background) whereas the same report has been taking more than 45 min's with AdHoc query (also users are getting the dumps)

I agree with your point that HR reports are very crucial\sensitive information and all the user should not have an access to the SQ01.

SQ01 will be given to the Key users only and also possible to restrict the query access in the t-code SQ03.

Regards,

Kotesh