Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User authorization for ZReports, Plant Specific

Go to solution
Former Member

‎01-10-2016 6:00 AM

0 Kudos

We have Created a ZReport for Invoice wise Sales Detail.  In Input Parameter we have Plant.  Currently Every User can See that report but now we require to limit the access of Users as per region of Plant.

E.g. - I have 3 Plants in 3 different states (Region) Delhi (D100), Mumbai (M100), Chennai (C100) .

Currently User (USER ID - USER D1 or USER D2) from a Delhi can Run the Report and Put the Plant Mumbai Plant M100 and see the Report but he not suppose to see as USER D1 Belongs to Delhi Region and System Should Allowed him to see the results of related to Mumbai Plant.

how to achieve it ? Do we required Basis-Security consultant also to achieve it or It can be done through ABAP route with help User-Exit. If Yes, Than Which User Exit we need to use ?

1 ACCEPTED SOLUTION

Go to solution
VeselinaPeykova
Active Contributor

‎01-10-2016 6:38 AM

0 Kudos

This is a z-report, so you need to check with the developer what authorization checks are already implemented. You can investigate by yourself by performing authorization trace (ST01) or reviewing the source code (look for authority-check statements).

Using the plant for restricting display of invoices may not be a good idea in certain processes in your company (technically you can have more than one plant in a billing document), so please double-check with the business whether this approach should be applied to all billing types currently in use, especially export/intercompany processes.

You can review what authorization objects exist in the system (which you can use for authority-check statements) with SUIM->Authorizatiion Objects->Authorization Objects by Complex Selection Criteria.

If no suitable objects exist, your developer can create a z-object to be used in the report.

After that you need to ask the authorization team to include the object in the relevant roles and transport the settings to quality/production.

Usually SD functional consultants are not allowed to create authorization objects or change custom reports (unless they are techno-functional) and even in this case authorization roles updates are performed only by the authorization/security team after confirmation by the business - approval for role update and positive confirmation from testing in the quality system.

4 REPLIES 4

Go to solution
VeselinaPeykova
Active Contributor

‎01-10-2016 6:38 AM

0 Kudos

This is a z-report, so you need to check with the developer what authorization checks are already implemented. You can investigate by yourself by performing authorization trace (ST01) or reviewing the source code (look for authority-check statements).

Using the plant for restricting display of invoices may not be a good idea in certain processes in your company (technically you can have more than one plant in a billing document), so please double-check with the business whether this approach should be applied to all billing types currently in use, especially export/intercompany processes.

You can review what authorization objects exist in the system (which you can use for authority-check statements) with SUIM->Authorizatiion Objects->Authorization Objects by Complex Selection Criteria.

If no suitable objects exist, your developer can create a z-object to be used in the report.

After that you need to ask the authorization team to include the object in the relevant roles and transport the settings to quality/production.

Usually SD functional consultants are not allowed to create authorization objects or change custom reports (unless they are techno-functional) and even in this case authorization roles updates are performed only by the authorization/security team after confirmation by the business - approval for role update and positive confirmation from testing in the quality system.

Go to solution
Lakshmipathi
Active Contributor

‎01-11-2016 10:08 AM

0 Kudos

Moved from SAP ERP Sales and Distribution (SAP SD) to Security

Go to solution
pardhreddyc
Active Contributor

‎01-11-2016 10:12 AM

0 Kudos

Dear,

We too have same functionality in sales, where we created a custom authorization object as ZWERKS and assigned to each plant user in authorization roles.

You sit with your abaper to set the authorization object in the program to have accesses to only plant maintained in authorization object in a user ROLE.

Regards,

pardhu

Go to solution
former_member216877
Participant

‎01-11-2016 10:48 AM

0 Kudos

hi..

  Create authorization object and try below codes ...

        AUTHORITY-CHECK OBJECT 'Z_AUTH'

             ID 'WERKS' FIELD lv_werks.

      IF sy-subrc <> 0.

        MESSAGE e110 WITH lv_bukrs lv_werks. 

                                       " No authorization

      ENDIF.