11-01-2007 11:28 AM
Hi,
Would like to know,
1) what are authorisation objects?
2) How are they created (step by step guide, if possible)?
3) How do we use them for custom table maintenance?
Thanks in advance.
Mick
11-01-2007 11:29 AM
Authorization object is created in tcode SU21. And authorization fields are created in SU20.
For each authorization object, we insert a number of fields. If the field for which we want to create authoriztion is not there, we create that field in SU20.
Eg : F_BKPF_BLA is an authorization object which has two fields, authorization group(BRGRU) and activity(ACTVT). Using this authorization object, you determine with which document type line items can be posted and processed.
Authorizations are created for this object giving the value permitted for each field
eg authorization 1 - S_AUTH_1
activity - 01
BRGRU - authorization group
Users have this authorization can perform activity 01, that is creating.
authorization S_AUTH_2
*activity - 01, 02, 03.
BRGRU - authorization group
Users having this authorization can perform activities 01, 02 and 03, that is create, change and display.
A profile is created to store the authorizations and transactions allowed for a particular user(by defining the role). This is done using transaction PFCG. And this profile name is maintained in the user record for each user.
When the user logins, the user record is checked.
Every time an action is taken by the user, an authority-check command must be called in the program
AUTHORITY-CHECK OBJECT 'F_BKPF_BLA'
ID 'BRGRU' FIELD T003-BRGRU
ID 'ACTVT' FIELD '03'.
Now, for this particular login, if an authorization for the given value is present, the transaction is accepted. Else the check fails and the action will not be allowed for the user.
For eg, if authorization S_AUTH_1 is there in the profile for that user, then this is allowed. But if only S_AUTH_2 is there, then the check fails.
******************************
Based on roles and authorization concept
Users are assigned to roles
Roles contain authorizations
Authorizations are defined for authorization objects
The system checks authorization objects against the
authorizations of the user
Driven by:
InfoProviders
Queries
Data
Different business purpose and goals than OLTP
Focused on displaying, planning, and analyzing data
Use authorization object S_RS_AUTH for the assignment of
authorizations to roles
Maintain the authorizations as values for field BIAUTH
If User 1 is chosen and Authorization Objects 1 and 2 should be migrated, you have to choose User 2 as well in order to have a complete user group
Create new profiles
Generation of profiles based on authorization object S_RS_AUTH that
contains the new, migrated authorizations
Preserves the existing role concept and adds new profiles to the role
Generated profiles have prefix RSR_
Extend existing profiles
Existing profiles will be extended by
authorization object S_RS_AUTH
Undo migration
All migrated authorizations and profiles
will be deleted; extended profiles contain
empty authorization object R_RS_AUTH
containing the migrated authorizations
******************************
SAP authorization concept :
http://help.sap.com/saphelp_nw04/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htm
Please go through the presentation.
Follow these steps:
1.before going to authorizations u have to decide on which Infoobject u have to apply authorizations.
EX: SD--- Sales Org, MM -> palnt ,purorg,FI> companycode.
first u ahve to decide which area & on which Infoobject.
2.goto that Infoobject --> change there check the checkbox Authorization relavent object cahechbox
2.after that U Have to goto RSSM there u have to create authorization object
Ex: Zxxx ( XXX is Infoobject Name Ex :0compcode).
3. In the same transaction Screen u have Infocube selection radio Button check that then select on which cube(cube means under that cube all Quaries) u have to make authorization for that perticuler Infoobject.
4.next goto PFCG create role & save it
5.goto Authorization tab in that selct edit authorization it will give automatiaclly authorization Templates in that u have to select only S_RS_RREPU & press Enter.
6. Select manual pushbutton it will ask authorisation object enter ur authorization object what u have created ( zxxx) .
7.click generate +enter
8. goto user tab Enter userId+enter + click on usercomparision+ enter
9.save the role.
Regards
vasu
11-01-2007 11:30 AM
Hi Mick,
check below link
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67129f439b11d1896f0000e8322d00/content.htm
Regards,
Atish
11-01-2007 11:34 AM
Hi Mick,
If you want to put a authorisation check on the selection screen.
use this logic in the<b> Initialization Event.</b>
DATA: V_OBJECT LIKE UST12-OBJCT VALUE 'S_TCODE' ,
V_FIELD LIKE UST12-FIELD VALUE 'TCD',
V_TCODE LIKE UST12-VON VALUE 'ZSZSTOCK'.
*& FUNCTION TO GET THE AUTHORITY CHECK
CALL FUNCTION 'AUTHORITY_CHECK' "#EC ARGCHECKED
EXPORTING
USER = SY-UNAME
OBJECT = V_OBJECT
FIELD1 = V_FIELD
VALUE1 = V_TCODE
EXCEPTIONS
USER_DONT_EXIST = 1
USER_IS_AUTHORIZED = 2
USER_NOT_AUTHORIZED = 3
USER_IS_LOCKED = 4
OTHERS = 5.
* -- If the user does not have proper authorization then display message
IF SY-SUBRC <> 2.
MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
STOP.
ENDIF.