Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Setting up authorisations on a bespoke Transaction

Former Member
0 Kudos

Hi all,

Here is an authorisation query. We have a bespoke transaction with three buttons on it, developed by one of our ABAP chaps. One of the buttons is display only, and the other two buttons are Create and Change. The business would like one group of users to have display only, and another group of users to have Create, Change & Display authorisation. Still being a novice to authorisations please can you tell me how this is achieved/done through PFCG? (note we are on 4.6C)… detailed instructions would be much appreciated.

Many thanks

Sharon

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hi Sharon,

You can control access to transactions if there are some related checks within the program code for the transaction. Such checks are generally made with the statement AUTHORITY-CHECK in the program. (the program related to a transaction can be found using SE93 trx).

In a bespoke transaction an ABAPer can introduce at the appropriate location some standard authorization object available in the system or he can create a new authorization object as per the control you want in place. Eg. For a transaction which gets a Company Code value as input from the user and then accordingly allow him to read/change invoices related to the particular company, there should be installed in the program code an authorization object check with two fields BUKRS (Company Code) and ACTVT (Activity).

Note that you can create a new object and new auth field values also if needed.

If such checks exists in the program then you can create one or more roles containg the transaction and all the authorization objects checked within the program code for the transaction. One role may contain only "Display" activity for all object and the other may contain "create/change" activity as per your needs.

Hope this helps. Please award appropriate points for this reply.

Regards,

Sanju.

4 REPLIES 4

Former Member
0 Kudos

Hi Sharon,

You can control access to transactions if there are some related checks within the program code for the transaction. Such checks are generally made with the statement AUTHORITY-CHECK in the program. (the program related to a transaction can be found using SE93 trx).

In a bespoke transaction an ABAPer can introduce at the appropriate location some standard authorization object available in the system or he can create a new authorization object as per the control you want in place. Eg. For a transaction which gets a Company Code value as input from the user and then accordingly allow him to read/change invoices related to the particular company, there should be installed in the program code an authorization object check with two fields BUKRS (Company Code) and ACTVT (Activity).

Note that you can create a new object and new auth field values also if needed.

If such checks exists in the program then you can create one or more roles containg the transaction and all the authorization objects checked within the program code for the transaction. One role may contain only "Display" activity for all object and the other may contain "create/change" activity as per your needs.

Hope this helps. Please award appropriate points for this reply.

Regards,

Sanju.

0 Kudos

Hi Sanju,

Thanks for you r wquick response... and yes I will be awarding points at the end.

Still a couple of further queries... it looks like the programmer has not aded any authorisation checks in the transaction, as all I see when I edit the auths in PFCG is tcode?...

The question is what authorisation objects should the programmer be using?... is there a standard authorisation object dlready available that he can use for this?... also is it typically the responsibility of the Basis person to advise programmers on which Auth Objects/Checks they should be including in their custom programs/transactions?

Thanks again.

S

0 Kudos

Hi Sharon,

To see what auth objects is associated with a transaction, the best ways are to check the program code for object usage or by performing an authorization trace with ST01.

Sometimes we see objects are automatically added in pfcg auth object view. This happens only when the corresponding entries are made in SU24 trx.

In all other cases (generally for Y or Z trxs) you will have to manually add related objects in PFCG along with the transaction code (in menu).

You rightly mentioned that it is a security admins job to specify the autho object to be implemented for a new transaction. You will need to first determine on what conditions you want to control the accees to the t-code. Then when your requirements is ready find if you have a standard SAP auth object which suffices the requirement. A list of the same can be found from SU21. You can otherwise create a new auth field (if needed) and consequently (or otherwise) create a new authorization object with the required fields (again from SU21). This can then be used by the ABAPer.

Regards,

Sanju.

Former Member
0 Kudos

Hello Sharon!

Let say for example one of the buttons is going to do a call transaction to XD01 and the other is going to XD02. In the ABAPer's code he/she could do an authority-check on s_tcode for both XD01 and XD02 in the initialization part of the program. If the user has access to XD01 and not XD02 then the developer can disable to button for change (XD02) and have only the create button enabled. This is only one way you can go about it. The other way is to determine which authorization objects the program is needing and do an authority-check for create, change, display and disable the appropriate buttons. If this is a completely custom program using custom tables....etc. Then you could create your own custom authorization object which could check for create, change, and display. Hope this helps!