Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Programmatically assigning Authorization Objects to roles

Former Member

‎03-11-2008 7:41 AM

0 Kudos

Hi there,

I have created an authorisation object with eight fields. The fields control which parts of my application are accessible to the user. (Each field is one category, each category has several subcategories).

What I want to do is the following:

There shall be a custom authorization dialog, wherein the system administrator can configure the access of the application for a specific user.

In plain text: I want to develop an interface which makes it possible to assign authorisation objects with specific values to a user or to an already existing role.

Is there any functionality, that allows me to perform this assignment and regenerate the users profile?

I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values. Anyhow, just to write new values to that table has no affect to the authorization when calling "authority-check object" in an ABAP report.

Does anyone know, whether there are standard functions in the ERP System, that support the changing of authorization objects and the regeneration of roles?

Thank you very much,

Gregor

Edited by: Gregor Bender on Mar 11, 2008 8:41 AM

3 REPLIES 3

jurjen_heeck
Active Contributor

‎03-11-2008 7:53 AM

0 Kudos

> 

> I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values.

Nope, sorry, it's not the connection but only one of the many.... Roles and profiles are stored in quite a lot of different tables so manipulating one table directly will hardly ever get you the desired situation. It may even lead to problems due to inconsistencies.

For mass regenerating profiles there's transaction SUPC.

For manipulating the contents of roles/profiles have a look at scripting with SECATT or LSMW in combination with PFCG.

If you want to write code to add objects to roles you have to look at least in tables AGR_1250, AG_1251 and AGR_1252. The UST* tables are updated when generating profiles and/or comparing users.

Former Member

‎03-11-2008 10:59 AM

0 Kudos

> I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values. Anyhow, just to write new values to that table has no affect to the authorization when calling "authority-check object" in an ABAP report.

You have misinterpreted the meaning of the table and the fields. Your statement indicates that you have already updated the table directly. Appart from the generally frowned upon practice of updating SAP tables, you obviously don't know what you are doing - so rather steer well clear of doing that (sorry, just being honest).

> Does anyone know, whether there are standard functions in the ERP System, that support the changing of authorization objects and the regeneration of roles?

Yip: Transaction PFCG to open the roles: add the object (various techniques) and maintain the fields there.

Cheers,

Julius

Former Member

‎03-11-2008 11:34 AM

0 Kudos

There is nothing as standard which will do this & I would not programmatically add objects (org levels are far simpler). Apparently the next release of Role Expert (which has now been renamed) will have the ability to do this. I'm still waiting to see it do that though.