SAP R/3 форум ABAP консультантов
Russian ABAP Developer's Club

Home - FAQ - Search - Memberlist - Usergroups - Profile - Log in to check your private messages - Register - Log in - English
Blogs - Weblogs News


Post new topic   Reply to topic    Russian ABAP Developer's Club Forum Index -> Security and Monitoring
View previous topic :: View next topic  
Author Message

Joined: 01 Sep 2007
Posts: 1636

PostPosted: Thu Sep 27, 2007 8:19 pm    Post subject: FAQ Reply with quote

Q: How to check authorization for any users?

                      user                = ls_users-uname
                      object              = 'ZERU_BUKRS'
                      field1              = 'TCODE'
                      value1              = l_value1
                      field2              = 'BUKRS'
                      value2              = l_value2
                      user_dont_exist     = 1
                      user_is_authorized  = 2
                      user_not_authorized = 3
                      user_is_locked      = 4
                      OTHERS              = 5.

Q. How to assign/create authorization group for a table:
A. Go to SE54, Give the table name and choose authorization group and then click on create/change. You can create an authorization group using maintenance view V_BRG_54.

You can assign a table to authorization group Z001. (Use transaction SM30 for table TDDAT) A user that wants to access this table must have
authorization object S_TABU_DIS in his or her profile with the value Z001
in the field DICBERCLS (authorization group for ABAP Dictionary objects).

Q. как посмотреть, какие транзакции запускал пользователь?
1) можно вести аудит на запускт транзакций: SM19
2) транзакция SUIM
3) STAD ( только недельные данные ).
4) ST03N - Сборная статистика (выбрать Expert Mode).

In general different users will be given different authorizations based on their role in the orgn. We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
Use SUIM and SU21 T codes for this.

Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.

If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.

This means you have to allocate an authorization object in the definition of the transaction.

For example:


AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.

The OBJECT parameter specifies the authorization object.

The ID parameter specifies an authorization field (in the authorization object).

The FIELD parameter specifies a value for the authorization field.

The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.

To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.

Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.

You program the authorization check using the ABAP statement AUTHORITY-CHECK.

'S_TRVL_BKS' is a auth. object
ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.

The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.

This Authorization concept is somewhat linked with BASIS people.
As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
Take the help of the basis Guy and create and use.

Useful user authorization & security program
SAP Program Program Description
AGR_CHECK_ALL_ACTIVITY_GROUPS Old roles check report
AGR_CHECK_ALL_AGRS Find All Accounts Without Path to Root
AGR_CHECK_ALL_AGRS_2 Too Many Transaction Codes in the Menu or D_TCODE - Diff. Analys
AGR_CHECK_ALL_AGRS_3 check for Duplicates in the Role Profile Assignment
AGR_CHECK_ALL_AGRS_4 - Duplicates in the Role Profile Assignment -> Single Cleanup
AGR_CHECK_ALL_AGRS_5 - Duplicates in the Role Profile Assignment -> Single Cleanup
AGR_CHECK_AUTHS_DUPLICATES Checking Duplicate Authorizations in Profiles
AGR_CHECK_AUTHS_DUPLICATES_31 Checking Duplicate Authorizations in Profiles
AGR_CONVERT_GENERATED_PROFILE Convert Profiles for a Role into Manual Profiles
AGR_DELETE_ALL_ACTIVITY_GROUPS Mass deletion of roles (Internal Use Only)
AGR_GET_TPRPROF_TEXTS_IN_AGR TPRPROF-Compare texts in the new tables
AGR_MASS_STAR_0_PROBLEM Clean Up Authorization Tables
AGR_MIGRATE_SSM_USR Conversion of old roles to the new maintenance transaction
AGR_REGENERATE_SAP_ALL Regenerate SAP_ALL Profile in all Clients
AGR_RESET_ORG_LEVELS Reset Manual Status and Contents of Organizational Levels
AGR_STAR_0_PROBLEM Clean Up Problem with *0 in the Profile Generator
AGR_XPRA Conversion of old roles to the new maintenance transaction
AGR_XPRA_ALL_CLIENTS Conversion of old roles to the new maintenance transaction
AGR_XPRA_MENUS_REPAIR Repair roles after migration
AGR_XPRA_MENUS_TRANSFER Menu Migration: Including role, save entire tree
AGR_XPRA_REGENERATE_SAP_ALL Regenerate SAP_ALL Profile in all Clients
AGR_XPRA_REGENERATE_SAP_NEW Generate SAP_NEW Profile in All Clients
PFCG_AGRS_WITH_MANUAL_S_TCODE List All Roles with Manual S_TCODE Authorization
PFCG_MASS_DOWNLOAD Bulk role download
PFCG_MASS_IMPORT Bulk rolle import
PFCG_MASS_TRANSPORT Transport of roles
PFCG_MASS_USER_ASSIGNMENT Mass Assignment of Users to Roles
PFCG_ORGFIELD_CREATE Profile Generator: Create New Organizational Level Field
PFCG_ORGFIELD_DELETE Profile Generator: Delete New Organizational Level Field
PFCG_ORGFIELD_UPGRADE Profile Generator: Modification After Upgrade for New Org Level Fields
PFCG_REGENERATE_ACT_GROUPS Generate Role Authorization Profiles
PFCG_REGENERATE_ALL_ACT_GROUPS Generate all role authorization profiles
PFCG_SET_PROFILE_NAMERANGE Set Number Range for Profile Name Proposal
PFCG_TIME_DEPENDENCY Role time-dependency scheduling report
RDDIMPDP Dispatcher for Transport Programs Within SAP System
RSPARAM Parameters
RSSCD100_PFCG Display Change Documents for Role Administration
RSUSADRCK1 User Maintenace - error in address admin (oss note 94104)
RSUSDISTRIBUTE_ALL_COMP Company address distribution
RSUSLAND Report RSUSLAND Central User Administration country definition
RSUSR_S_USER_SAS Activate Authorization Object S_USER_SAS
RSUSR_S_USER_SAS_01 Complete Authorization Data for S_USER_SAS in Roles
RSUSR_S_USER_SAS_02 Convert Authorization Defaults
RSUSR_SYSINFO_PROFILE Report cross-system information/profile
RSUSR_SYSINFO_ROLE Report cross-system information/role
RSUSR_SYSINFO_ZBV Report cross-system information/CUM
RSUSR000 Current Active Users
RSUSR001 Infosystem authorizations
RSUSR002 Users by complex selection criteria
RSUSR002_ADDRESS Users by address data
RSUSR003 Check the Passwords of Users SAP* and DDIC in All Clients
RSUSR004 Restrict User Values to the Following Simple Profiles and Auth. Objs.
RSUSR005 List of Users With Critical Authorizations
RSUSR006 List of Users with Incorrect Logons
RSUSR007 List Users Whose Address Data is Incomplete
RSUSR008 By Critical Combinations of Authorizations at Transaction Start
RSUSR009 List of Users With Critical Authorizations
RSUSR010 Executable Transactions (All Selection Options)
RSUSR012 Search authorizations, profiles and users with specified object values
RSUSR020 Profiles by complex selection criteria
RSUSR030 Authorizations by Complex Selection Criteria
RSUSR040 Authorization Objects by Complex Selection Criteria
RSUSR050 Comparisons
RSUSR060 Where-used lists
RSUSR060OBJ Where-Used List for Authorization Object in Programs and Transactions
RSUSR061 Enter Authorization Fields
RSUSR070 Roles by complex selection criteria
RSUSR100 Change documents for users
RSUSR101 Change documents for profiles
RSUSR102 Change documents for authorizations
RSUSR200 List of Users According to Logon Date and Password Change
RSUSR300 Set External Security Name for All Users
RSUSR304 Reload Table TSTCA From Table TSTCA_C
RSUSR400 Test Environment Authorization Checks (SAP Systems Only)
RSUSR401 Report to give all SAPCPIC users profile S_A.CPIC
RSUSR402 Download user data for CA manager from Secude
RSUSR403 Assign Profile S_A.CPIC to User SAPCPIC in Current Client
RSUSR404 Conversion Program for Authorizations of Basis Development Environment
RSUSR405 Reset all user buffers in all clients (uncritical)
RSUSR406 Automatically Generate Profile SAP_ALL
RSUSR406_OLD Automatically Generate Profile SAP_ALL
RSUSR408 XPRA: Conversion of USOBX-OKFLAG, USOBX-MODIFIED for upgrade tool SU26
RSUSR409 Transfer all translated titles to generated transaction codes
RSUSR421 Clean-up report: TSTC-CINFO if no check in TSTCA
RSUSR500 User Administration: Compare Users in Central System
RSUSR500D Display GUM open changes
RSUSR998 Call Reporting Tree Info System
RSUSREXT Enter External Identification in Table View VUSREXTID (From Rel. 4.5)
RSUSREXTID Enter External Identification in Table View VUSREXTID (From Rel. 4.5)
RSUSRLOG Log Display for Central User Administration
RSUSRSCUC CUA: Synchronization of Company Addresses
RSUSRSCUC_F01 CUA tree processing
RSUSRSCUC_F02 List of companies processing
RSUSRSCUC_F03 Comparison list of company addresses
RSUSRSCUC_F04 Company address processing
RSUSRSCUC_F05 Distribution within CUA
RSUSRSCUC_O01 PBO module for screen 0100
RSUSRSUIM User Information System
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Russian ABAP Developer's Club Forum Index -> Security and Monitoring All times are GMT + 4 Hours
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum

All product names are trademarks of their respective companies. SAPNET.RU websites are in no way affiliated with SAP AG.
SAP, SAP R/3, R/3 software, mySAP, ABAP, BAPI, xApps, SAP NetWeaver and any other are registered trademarks of SAP AG.
Every effort is made to ensure content integrity. Use information on this site at your own risk.