Question:
Hi,
I'm more of a Basis guy than roles/authorizations so I hope someone can tell me where I'm going wrong in this simple procedure.
A developer wants to put an AUTHORITY-CHECK in a program to check a new authorization object (no fields). If the user has the Authorization Object, then it can use the new program(s).
In SU21 I created a new Object Class ZXXX. I then created a new Authorization Object ZXXXXX within this Class. No fields were entered.
In PFCG I created a new role, went into Authorizations tab, generated a profile, then went to Change Authorization Data, and manually added my new Authorization Object, which appears in the 'tree'. BUT - both the Authorization Object and the Profile are 'Inactiv'. Clicking on the 'Reactivate' icon has no effect.
Any ideas how to get these 'Active'?
Thanks.
Answer:
First: maintain the authorizations, then generate the role / profiles.
Second: Could you not find a SAP standard authorization object to control these programs?
Practice is (even if uncommon) to create a transaction code (S_TCODE) to submit your abaps and put an auth group on them (report RSCSAUTH). Additionally, if the programs can, for example, display creditors master data, you use the authority-check statement against (e.g.) F_LFA1_BUK and get your program to react to it.
Tarr
Answer:
Thanks,
But how do I maintain the authorizations when the new authorization object remains 'inactive' in PFCG? Generating the role/profile has no effect.
Can't use a SAP standard authorization object as this is completely new development, outside of standard SAP.
Answer:
Hi,
The reason for the new object is inactive could be because you don't have any fields attached. Try to change the object and add ACTVT field to it. Then your developer can add an authority-check on this object where field ACTVT = 03 and you can add activity 03 Display to the object in the role to et the user access to the transaction.
There is another way to do this as well if you wish this object to be a "second" transaction start check (except for S_TCODE) and that is to add this object as and auth-check for this transaction in transaction SE93.
By doing that you don't need to add it in the ABAP code.