Question:
Hi there,
There's something I'd like to make sure on how SU24 works:
If an authorisation object does not appear in SU24 for a transaction, does that mean that there won't be any check at all on that object in the transaction?
As an example, in 4.6C, the objets F_BKPF_BLA doesn't appear in SU24 for the transaction F110. Does that mean that I can be sure a user will be able to process this transaction without any authorisation for that object?
Answer:
If an authorisation object does not appear in SU24 for a transaction, does that mean that there won't be any check at all on that object in the transaction?
No.
As an example, in 4.6C, the objets F_BKPF_BLA doesn't appear in SU24 for the transaction F110. Does that mean that I can be sure a user will be able to process this transaction without any authorisation for that object?
No.
But if you look at the other objects in F110 the table reference is REGU not BKPF. so the chances are they will not need F_BKPF_BLA for pure F110 execution. If f110 allows you to branch to FB03, FB02, F-43, etc then you will need F_BKPF_BLA .
Answer:
Does SAP check SU24 every time before granting an access ? otherwise, appreciate if anyone could just briefly describe how SAP grant access.
Thanks.
Answer:
At a pretty high level:
A user has a User Master Record
In the user master record, collections of authorisations are assigned (roles/activity groups/profiles)
When a user executes a transaction, SAP checks for authorisation for the transaction code (S_TCODE). There are usually subsequent authorisation checks in the code (usually AUTHORITY-CHECK statement). If these values are not available in the users buffer (fed from the authorisations in the User Master) then often a no authorisation message will be given.
When creating roles, SU24 allows you to assign auth objects to transactions, however this is often inaccurate because SAP is lazy and different ways of using functionality will determine some of the authorisation checks.
Hope that helps
Cheers,
Al.
Answer:
which means that we need to maintain the authorisation objects for su24 for certain authorisations.......
_________________
The heart has its reasons which reason knows not of
PASCAL
Answer:
Hi everyone!
Al. wrote
When creating roles, SU24 allows you to assign auth objects to transactions, however this is often inaccurate because SAP is lazy and different ways of using functionality will determine some of the authorisation checks.
So a question is how to make r3 check authorized object which i have assigned to transaction?
thank you
Answer:
Hi everyone!
Al. wrote
When creating roles, SU24 allows you to assign auth objects to transactions, however this is often inaccurate because SAP is lazy and different ways of using functionality will determine some of the authorisation checks.
So a question is how to make r3 check authorized object which i have assigned to transaction?
thank you
It needs to be in the code for the transaction/program.
Answer:
Hi,
Then there's only one answer to your question:
New ABAP code must be inserted into your transaction.
If it's a customized transaction, you can just add new ABAP code into your existing code to halt processing once an AUTHORITY-CHECK fails.
If it's a standard transaction, which in your case is true because you're referring to Tcode F110, you will need to insert your authorization check in USER EXITS (Pls read up on the documentation of user exits for further clarification).
Answer:
Thanks all for your replys
Sap_zombie I only have heard about USER EXITS but i don't know what is it. Where i can read about it? could you pass me links of documentation?
once again Thanks to everyone and thank God that you are
Answer:
Hi belan,
You can view the comprehensive documentation of user-exits / customer-exits by (SAP has changed the terminology to Customer Exits):
1. Clicking on the Help -> Application Help menu option in transaction CMOD.
2. Follow this link: http://help.sap.com/saphelp_47x200/helpdata/en/c8/1975cc43b111d1896f0000e8322d00/frameset.htm
Please note that the documentation I've given above only explains the fundamental concept and the technical info on customer-exits. What you will definitely need is some familiarity with the customer-exits that are specific to your area of application.
Because of this, the OSS will usually have specific notes that explain what customer-exits are available for use in specific areas of application (eg. MM-PUR, FI-TV, etc.).
Furthermore, there are also area-specific customer-exit documentation in help.sap.com . Please look for the one that suits your application.
In a nutshell, working with customer-exits generally involves:
1. Searching for a suitable exit.
2. Including the exit into a modification project (CMOD).
3. Inserting your own code into the exit.
4. Activating your project, thereby activating your customized code.
Good luck!
Answer:
Thank you very much sap_zombie and thanks to everyone