Solved: authorization on PNP logical database

Former Member · ‎05-11-2007

My limited understanding of authorization on reports that uses PNP/PNPCE logical database is that if a user who runs the report does not have authorization for any of the declared infotypes then the report stops with message 'no authorization for infotype ...'. And if the user has authorization for the infotypes but do not have authorizations for some of the PERNRS then it will only display those records that user have authorization for and shows message saying no. of skipped records (of those that user did not have authorization).

Programmers here say that the users who do not have authorization for some infotypes should still be able to see list for other infotypes that they do have authorization for.

-- Please shed some light on this and guide me if there is a cookbook/document out there about this.

Thanks a bunch.

Netra

manohar_kappala2 · ‎05-16-2007

Hi Neha,

Adding further.

Each report is different in its own way and there are various ways of controlling the access to the Reports based on ur scenario.

The first check happens at the P_ABAP level where in it checks the access to the program corresponding to that report and level of access (1,2).

If these are missing then it goes further to check for the explicit access

in objects like

P_ORGIN, P_PERNR etc.

Now in some of these reports the processing is designed in such a way that if the access to an IT is not available it throughs a error message and the processing of the report stops at that instance (this depends on the message type which has been defined at that instance to be displayed) so at this instance you need to have access to that IT to proceed further but in some other cases the check does happen but the processing continues without stopping at that check failure(example is P_PERNR, the check happens but is not required for processing the report).

This is one example but there could even more criterion based on which the processing of the report is terminated or allowed to continue depending on the reports utility

<a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/9f/dbaabc35c111d1829f0000e829fbfe/frameset.htm">The different message types and their significance is as follows</a>

So what you have been told by programmers is true in some cases but surely not accross all the HR reports and all auth objects.

Hope this helps

Manohar

Message was edited by:

Manohar Kappala

Former Member · ‎05-14-2007

Anyone, please?

Former Member · ‎05-14-2007

Below is the documentation from the logical databasefor Authorization Check. I believe it pretty much answer your questions.

Authorization Check: PNP_SW_SKIP_PERNR, PNP_GET_AUTH_SKIPPED_PERNRS

The PNPCE logical database performs an authorization check for all infotype data records that are requested by the report using the INFOTYPES statement. If no authorization exists for even one individual data record of one of the infotypes used, processing of the personnel numbers is terminated by default. In PNP mode, this means that the GET PERAS event (for the personnel number) is skipped. The report is only aware of this if it then (if possible at the END-OF-SELECTION event) calls the PNP_GET_AUTH_SKIPPED_PERNRS macro, which returns a list of the skipped personnel numbers.

In CE mode, the NO_AUTHORITY flag is set in the included ALL_PERNRS table at the GET GROUP event, which indicates to the report that no authorization exists. The following event, GET PERAS, is also not executed for this personnel number. As in PNP mode, the report can get a list of the personnel numbers for which no authorization exists using the PNP_GET_AUTH_SKIPPED_PERNRS macro.

You can enter different settings using the PNP_SW_SKIP_PERNR switch. If you set this switch (at the INITIALIZATION or START-OF-SELECTION events) to N, no more personnel numbers (without authorization) are skipped. Only the data records for which no authorization exists are rejected (that is, not made available). The report has no way of knowing that data records are being withheld from it.

Thanks,

Lye

Former Member · ‎05-15-2007

Lye,

Thank you for your post and it is very helpful. Can you send me a link or document that details this stuff? I appreciate your help.

Netra

Former Member · ‎05-15-2007

The documentation is within SAP. Go to SE36, select the logical database, select Documentation radio button, display. You are there.

Have fun.

manohar_kappala2 · ‎05-16-2007

Hi Neha,

Adding further.

Each report is different in its own way and there are various ways of controlling the access to the Reports based on ur scenario.

The first check happens at the P_ABAP level where in it checks the access to the program corresponding to that report and level of access (1,2).

If these are missing then it goes further to check for the explicit access

in objects like

P_ORGIN, P_PERNR etc.

Now in some of these reports the processing is designed in such a way that if the access to an IT is not available it throughs a error message and the processing of the report stops at that instance (this depends on the message type which has been defined at that instance to be displayed) so at this instance you need to have access to that IT to proceed further but in some other cases the check does happen but the processing continues without stopping at that check failure(example is P_PERNR, the check happens but is not required for processing the report).

This is one example but there could even more criterion based on which the processing of the report is terminated or allowed to continue depending on the reports utility

<a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/9f/dbaabc35c111d1829f0000e829fbfe/frameset.htm">The different message types and their significance is as follows</a>

So what you have been told by programmers is true in some cases but surely not accross all the HR reports and all auth objects.

Hope this helps

Manohar

Message was edited by:

Manohar Kappala