- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- will there be an authority check ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
will there be an authority check ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2007 6:48 AM
Hi all,,
am an ABAPer, i want to know that will there be any authorization issue in fetching the records from the table. ie. for a particular user, the retrieval of records of certain particular company code is not possible.
The user was able to run the transaction these days, but recently she was encountering the issue. It means that even for the roled she has, she would be able to run the transaction.
But would the authority may not be given at the table level, or while fetching of data, will it verify that the data could be given to the user or not.
please clarify me, whether it is possible to block the user retrieving certain data.. especially data specific to company codes.
She is able to work with other company codes, but not with just one Company code?
thanks in adv
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2007 7:37 AM
It completely depends on what kind of program you run.
Most SAP created programs have authority checks build in.
Most customer programs don’t have that, because abapers did not include Authority checks.
Would suggest to contact your security admin and together investigate this (by creating a test user).
Remember: only authority checks that are build in by the designer will work! And the "normal"way of assigning authority checks to a program is by calling a sub routine!
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2007 7:08 AM
Depends on the table. Tables are normally assigned to authorization groups, which are checked in S_TABU_DIS. If you're reading a custom-made table, and the developers (or security) all of a sudden decided to assign it to an authority group, it would definitely impact your user's ability to read the contents...
If, on the other hand, this is an SAP standard table, and the user is accessign it via standard SAP functionality, the auth group is not likely to have changed. In that case, it could be that the user is trying to retrieve records belonging to a company for which she's got no access, and that this is limited via standard authority checks... you'll need to provide more info on how these table entries are retrieved. SM30? Standard transaction or menu choice? Custom- or SAP table?
Your first step should be to check the user's SU53 output. This would probably explain it all.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2007 7:37 AM
It completely depends on what kind of program you run.
Most SAP created programs have authority checks build in.
Most customer programs don’t have that, because abapers did not include Authority checks.
Would suggest to contact your security admin and together investigate this (by creating a test user).
Remember: only authority checks that are build in by the designer will work! And the "normal"way of assigning authority checks to a program is by calling a sub routine!
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2007 8:48 AM
Is there a way to restrict the user to fetch records for a particular company code???
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2007 8:59 AM
Yes. Put an authority-check statement in the code that selects only line items with the permitted company code.
Alternatively you could look at line item authorizations using auth object S_TABU_LIN but this is a major change and no substitute for correctly writing reports with built in auth checks
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2007 9:10 AM
what does this mean in SU24 :
U N C CM Check ID Object Object name
. . <tick> . Check S_TCODE Authorization Check for Transaction Start
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2007 2:03 PM
Pls contact your security admin as this is absolutely a thing not to be touched by an abaper.
U = Unchecked
C = check
CM = Check/Maintain.
but what it means and how the settings should be is up to the security administrator.
Pls do not try to solve this all by yourself but consult the experts in your own company
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-15-2007 6:24 AM
Hi Naveena,
U - Unchecked - This authority object is not checked when transactio is executed.
C- Checked - This is check during execution of transaction, but maintenance of Authorization fields should be done based on indiviual requirements
CM - Check and Maintained - Checked during execution and Auth fields values are maintained by SAP (Default Filed Values).
I hope this clarifies your query?
Regards,
Priyank.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-15-2007 8:04 AM
one remark
CM. check maintain, which means that the values stored in USOBT_C (SU24) will be used in the PFCG when the trx is added to a role!
Customers can maintian the object values in SU24 themsleves if wanted, SAP only offers a default set of objects /values in table USOBT!
- SAP Managed Tags:
- Security
