Skip to Content

Hi

I am going to explain that how we can implement authorization or any other check on SD documents display transactions.

Business Requirement

You get a requirement to put some authorization check on SD documents display/change transactions based on some field which is not available in standard authorization objects. How would you do that?

Solutions that come to your mind

First thing you get in your mind is to use some userexit for this but that is not gonna help you in display transactions. You can’t do that using SD userexits available for sale order, delivery order and billing document. Usually we implement checks in MV45AFZZ for sale order, MV50AFZ1 for delivery order and RV60AFZZ for invoice. There are also many other enhancements available but these are three most commonly used.

Problem with these enhancements and userexits is that these are helpful in VA02,VL02N and VF02 but for display transactions these are not triggered and can’t help you out. If you use authority check logic in these exits system doesn’t check that in display transactions. So what do we do here?

Proposed Solution

There are certain enhancements which system calls on display transactions. These are not that easy to find but since we have worked on it and found these so I thought I should share here so that anyone else facing such requirement can get benefit of it.

For VA03

  • Go to VA03 > System > Status and copy program name from here and see the screen number. For VA03 program name is SAPMV45A and screen number is 102.
  • Now go to SE80 and enter program name in program and double click on screen 102. Here you’ll see following module. Double click on that and add the authority check coding or any other code as per below screen.

Capture.JPG

Capture.JPG

Here you can see my message that I have written for testing. You can add authority check code or any other function/BAPI or check that you want to trigger on VA03. For adding this its good that you take help from your ABAPER because it requires an implicit enhancement implementation and if you don’t know how to do it ask your ABAPER.

After adding this you’ll get this message everytime you open VA03 > give sale order number and press enter.

Capture.JPG

For VL03N

Go to VL03N transaction code and see the program and screen number like we did in previous step.

Go to SE80 and repeat the same and double click on following module.

Capture.JPG

Here click on following perform.

Capture.JPG

Here add your logic in below section by implementing an implicit enhancement.Capture.JPG

Following is the message which you’ll see everytime you open a delivery order.

Capture.JPG

For VF03

Repeat the same steps for VF03 and copy program name SAPMV60A and note the screen number 101. Double click on following module.

Capture.JPG

Here click on following perform.

Capture.JPG

Add your code in below section after implementing an implicit enhancement.

Capture.JPG

Following is the message that I have added here and you’ll see this every time you open an invoice in VF03.

Capture.JPG

This is it. Simple and easy way to trigger anything on start transaction of any SD document display transaction code. We did this only for these three transaction codes. If there is requirement for other transactions we can find triggering point for those as well.

Test this in your system and share your negative/positive feedback with me in comment section. If there is some other way to meet this requirement please share that. 

This document is related to authorization control so I’d like to tag Security here and this document includes technical information as well so ABAP Development guys can also use this for future reference. Usually this requirement comes in SAP ERP Sales and Distribution (SAP SD) SAP ERP SD Billing or in SAP ERP SD Sales so I am tagging these spaces as well.

Thank$

To report this post you need to login first.

18 Comments

You must be Logged on to comment or reply to a post.

  1. Sijin Chandran

    Authorization check …

    Authorizations for different tcodes can be easily orchestrated by creating according authorization Roles , Objects and accordingly assigning to Users , User Groups , a BASIS Guy can explain it better ( in short ๐Ÿ˜‰   ).

    I think this is the best and recommended solution for this. If no alternative is there then we should move into coding as the last only option left.( My humble opinion ๐Ÿ™‚ )

    (0) 
    1. ' MoazzaM ' Post author

      Hi

      I appreciate and agree to your opinion and this is what I suggest too. This document is about something else. When we are not able to control anything from standard authorization object then only in this case we go for coding. Going for coding itself requires some techniques which I have shared here.

      Thank$

      (0) 
    2. Jelena Perfiljeva

      Sijin, I hope you realize that all the nice authorization checks that make the Roles, Objects, etc. actually work are, in fact, programmed in ABAP. Even if an authorization object exists and is added to the roles, etc., a programmer actually has to put the command AUTHORITY-CHECK in the corresponding place(s). Don’t know why but this seems a common misconception in the functional community that roles work through some kind of magic. There is no magic in SAP, only ABAP. ๐Ÿ™‚

      On the same note, I wish MoazzaM could’ve included the AUTHORITY-CHECK command in the samples but then he’s not an ABAPer, so this is not a step-by-step guide but just an implementation suggestion.

      Obligatory disclaimer – enhancements are certainly much better than modifications of the old days but they should be approached with similar caution.

      P.S. The toolbar button that looks like a spiral is the one that shows the available enhancement locations.

      (0) 
      1. ' MoazzaM ' Post author

        I agee with you Jelena and you are right about my coding skills ๐Ÿ™‚

        There are many threads and may be documents available on how to implement enhancements thats why I didn’t add that part. Being a functional I tried to make it functional document.

        This is true that there is no magic in SAP. Only ABAP ๐Ÿ˜Ž

        Thank$

        (0) 
      2. Sijin Chandran

        Sijin, I hope you realize that all the nice authorization checks that make the Roles, Objects, etc. actually work are, in fact, programmed in ABAP

        Yeah I do understand the same . SPRO Config. setting , Authorization Roles , Pricing Procedure, FI Validations ( OB28 ) and Substitutions etc etc..  all these are nothing but ABAP Codes only with different flavor and functionalities .

        I raised this comment because I have seen many senior members always preaching that if a Functional or Systematic alternative for a Process is there then go for it instead of unnecessarily hampering the codes , I myself believe the same.

        Test this in your system and share your negative/positive feedback with me in comment section.

        And the above lines of Mozzam made me feel free to raise my points ๐Ÿ™‚

        (0) 
        1. Jelena Perfiljeva

          Just in case the previous comments still have not made it crystal clear – this blog does not contradict the SAP Authorization concept, it shows how a custom authorization check can be implemented in SD. It’s not “use roles vs. coding”. Roles don’t work without coding. You will also find AUTHORITY-CHECK commands in the standard SAP code checking for the standard authorization objects.

          Unfortunately we still see quite a few times people making suggestions ‘oh, just ask Basis to create a role’ when someone is asking about additional authorization check. But this is just nonsense. You can set up whatever roles but they won’t do anything if there are no properly coded authorization checks.

          (0) 
  2. Dibyendu Patra

    Implicit enhancement is a very good functionality.. We can achieve a lots of things which is not possible via standard configuration.. Thanks for sharing your view..

    (0) 
  3. Muhammad Asad Qureshi

    Dear Moazzam,

    Very well effort for the authorization check.

    Via Implicit enhancement functionality in SAP, we can validate any field over any form according to our custom mask and also we can put validations too. But in some cases, this is not possible for the objects disallowed by SAP completely. I will definitely share as soon as i will go through such example.

    Regards,

    Muhammad Asad Qureshi

    (0) 
    1. ' MoazzaM ' Post author

      Muhammad Asad Qureshi

      Thank you dear for sharing this valuable and useful idea with me and its you who actually found this technique and the credit goes to you. I am expecting you to share your knowledge here in SCN so that users like me can get some benefit of it.

      Thank$

      (0) 
  4. Muhammad Asad Qureshi

    Dear Moazzam,

    Finally, As it has already been mentioned in the above thread that there are various programs in SAP whose amendments are forbidden by SAP itself. So here is an example of this. Although, the Function Group is created by the client but changes to an include in this FG is forbidden by SAP itself. PFA

    Forbidden Rule.png

    Well in the above image, you can clearly see that Function group is not the standard one but it is customized. and the include Program i.e. LZCLM02UXX is also customized. This Include program is a part of Function Group and contains the entries of all the function modules contained in the Function Group. When a new function module is created using this Function Group, SAP system automatically inserts an entry in this file for that respective function module.

    When i want to change the file manually, It gives me a message “Changes to LZCLM02UXX” are forbidden by SAP*” . . .

    So this is an example where we cannot insert our Include statement. Although we can place an implicit enhancement in it but since the changes are forbidden by SAP so, this has to be left exactly as it is as maintained by SAP.

    Regards,

    Muhammad Asad Qureshi

    (0) 
    1. ' MoazzaM ' Post author

      Dear Asad

      Thank you very much for sharing this information and making it more clear for me and other users. Appreciated your efforts.

      Thank$

      (0) 
  5. Karl Rockwell

    Explicit enhancement points exist for sales order and invoice which are preferable to implicit ones. They are inย Include MV45AF0B_BERECHTIGUNG_PRUEFEN and

    In function RV_INVOICE_DOCUMENT_READ

    ENHANCEMENT-POINTย RV_INVOICE_DOCUMENT_READ_03ย SPOTSย ES_SAPLV60A.

    (1) 

Leave a Reply