11-01-2022 7:27 AM
Hi All,
I want to add authority check for authorization group in my ABAP code but I didn't find any answers.
My Authorization group is ZSHP1.
I tried below code but its not working.
AUTHORITY-CHECK OBJECT 'S_USER_GRP'
ID 'CLASS' FIELD 'ZSHP1'
ID 'ACTVT' FIELD '03'.
IF sy-subrc <> 0.
MESSAGE e011(z001)."Action not allowed
ENDIF.
The Group is maintained in SU01
Regards,
Ganesh
11-01-2022 7:32 AM
In my system the data element linked to the authorization object is 4 char length
11-01-2022 7:41 AM
Check the authorization object in SU21, go in the field of the object, and check the control table (TBRG)
11-01-2022 8:29 AM
Hello,
hmm, maybe you mix up the user group on tab "Logon Data" with the group(s) on tab "Groups"...?
The user group on the "Logon Data" is the right one for authorization checks using S_USER_GRP. The groups on tab "Groups" are for classification purposes only and can be used for selection of users in SUIM or SU10.
Therefore, effective for the authorization check is the group in tab "Logon Data".
Kind regards
Jan
11-01-2022 8:41 AM
Can you clarify in which tcode & tab I can maintain the group & what will be the ABAP code for this
11-01-2022 9:14 AM
Hello,
maintenance transaction for user groups is SUGR. Assignment to users can be done in SU01 (or SU10) in the already mentioned tabs "Logon Data" and "Groups".
ABAP Code: for authorization checks your code in your question looks ok. However, it is not totally clear to me what is the aim - to check against the value in tab "Logon data" or against the values in tab "Groups". For both I would suggest to use function module BAPI_USER_GET_DETAIL. You will find the user groups in export structure LOGONDATA resp. in table GROUPS.
Kind regards
Jan
11-01-2022 9:40 AM
Used below select query instead of authority check.
SELECT SINGLE usergroup FROM usgrp_user
INTO @DATA(lv_usr_grp)
WHERE bname = @sy-uname
AND usergroup = @c_usergroup.
IF sy-subrc <> 0.
MESSAGE e011(z001)."Action not allowed
ENDIF.
11-01-2022 11:28 AM
This solves your issue, but is not related to your question about "authority-check" and "authorization group", so it will mislead future visitors thinking that they will find an answer about the initial question. I think that Jan Modaal answer will help more the future visitors.