Solved: Tcode z0sm authorizatrion railed !!

Former Member · ‎11-27-2007

Folks,

I added tcode z0sm to role, generated the role assigned the role to the user.

but when the user is not able to execute this z0sm. the message reads "you have no authorization."

The SU53 reads ;

" The following object was checked:

object Z0_IM3_IFR_

object class : ZIM3"

Activity 03

Application module dummy

Enitity dummy

Interfce type dummy

Interface dummy

Thanks

Former Member · ‎11-27-2007

Hi george,

It looks like it would be well worth your time tracking down a copy of Authorizations Made Easy and having a read through it - this is basic security admin stuff.

Your SU53 is telling you that the user is missing auth object Z0_IM3_IFR_ with the values supplied.

In this situation it looks like you need to add this to the role containing z0sm or configure SU24 to pull this object through into the role when you add the transaction.

As it's a custom tcode and auth object there may be something I am missing here but I doubt it...........

Former Member · ‎11-27-2007

Hi george,

It looks like it would be well worth your time tracking down a copy of Authorizations Made Easy and having a read through it - this is basic security admin stuff.

Your SU53 is telling you that the user is missing auth object Z0_IM3_IFR_ with the values supplied.

In this situation it looks like you need to add this to the role containing z0sm or configure SU24 to pull this object through into the role when you add the transaction.

As it's a custom tcode and auth object there may be something I am missing here but I doubt it...........

Former Member · ‎11-27-2007

Further to the question, from the Su53, I want to access the Authorizations fields so that I can give more maintainthe fields. for example in the above tcode i wnat to include the give a value 10 , 21.HowCan I do that?

Thanks

Former Member · ‎11-27-2007

Alex,

Thanks!! I have figured this out.I have manually added the auth object.

I have also been readign Auth made easy..its a wonderful book!

Former Member · ‎11-27-2007

George,

It is not a good practice to manually assign an auth object unless it is the last resort. You want to run SU24 and add the auth object to the custom Z transaction code. Manually assigning an auth object on a role is my biggest pet peeve.

If you go to PFCG and open the role and click on the Where-Used List [mountain] on the manually assigned auth object, it won't tell you which tcode is the auth object coming from.

Do the right thing and add the auth object on the tcode.

-John N.

Former Member · ‎11-27-2007

>> [...] for example in the above tcode i wnat to include the give a value 10 ,

>> 21. HowCan I do that?

For that you would need to define a check table, or, define what type of field that authorization field is, using a data element of a domain for which a value range exists.

Based on the names of the fields you mention, I suspect that you would be able to use existing ones. In fact, chances are good that you might even have been able to find existing SAP authorization object(s) to use in a base-check function to achieve the same.

I would even go so far to say that if you look around a bit... you might even find a transaction which already does exactly that which you have created.

Kind regards,

Julius

Former Member · ‎11-27-2007

It might also be that the developer has added an authorization check upfront with the transaction start (see SE93) or upfront in the program on actvt 03 with dummy for the remaining fields => the effect would be that the user at least needs authorization to be able to display (03) each of some-thing for those fields.

When subsequently using the transaction, those some-things then become real-things to control what the user can, for example, execute (typically actvt 16).

If you only added acvtv 16 to the role but not 03, then the user would be able to use the transaction (theoretically), but they cannot start it!

Just a thought which occured to me.

Julius