Business Case:

When Business wants to give access for projects according to any specific object which is not given by SAP Standard than we have to create Custom Authorization Object to suffice this requirement.

I have encountered a situation where Business wants to restrict users on basis of Project Profile for Example: If User has Authorization for Profile1 than only user will able to Access/Open that Project having project Profile “Profile1”.

Solution:

For above requirement below are the steps:

1: Create Authorization Field

The Authorization Object is used to check the user’s privileges for specific data selection. An Object Class contains one or more Authorization Objects.

Authorization is controlled by Authorization Object which is assigned/maintained in Profile/Roles and then this Role will be assigned to User Master Record.

Create Authorization Field using TCODE-SU20

profile.JPG

2: Create Authorization Class (Object Class)

Transaction – SU21 Create a new Authorization Class (Object Class) by clicking on the Create button’s drop down icon, then select “Object Class”.

profile.JPG

profile.JPG

Enter Object Class Name and Description.

3: Create Authorization Object

profile.JPG

profile.JPG

Maintain Object name, Text, Class and Authorization Field.

4: Assign Authorization Object to Roles

TCODE-PFCG

profile.JPG

5: Code to Check this Object in User Master Record.

for this ABAP Consultant has created as below

profile.JPG

profile.JPG

Code Behind report source “LCJWBF0Z” is:

*———————————————————————-*

*       FORM Profil

*———————————————————————-*

*       Profil lesen und in PROJ ablegen

*       Sonstige Standardwerte bei Anlegen in PROJ fuellen

*———————————————————————-*

*  –>  Profid    Id

*———————————————————————-*

form profil using value(pro_id) like tcj41profidproj.

ENHANCEMENT ZPSPROFILE.  

     AUTHORITY-CHECK OBJECT ‘ZPSPROFILE’

            ID ‘PROFL’ FIELD ‘*’ .

         if sysubrc = 0 .

           else.

          if pro_id = ‘ZLGLPRO’ .

             AUTHORITY-CHECK OBJECT ‘ZPSPROFILE’

              ID ‘PROFL’ FIELD pro_id.” ‘__________’.

                if sysubrc <>  0 .

              MESSAGE ‘No Authorization for ZLGLPRO’ type ‘E’ .

              endif.

         else.

           AUTHORITY-CHECK OBJECT ‘ZPSPROFILE’

              ID ‘PROFL’ FIELD pro_id.” ‘__________’.

              if sysubrc <> 0 .

              MESSAGE ‘NOT Authorized ‘ type ‘E’ .

             endif.

          endif.

      endif.

   

ENDENHANCEMENT.

Testing for above Code:

Check Authorization:

profile.JPG

If we create/change Project where Project Profile as ZCAPEX than system will allow to User to create/change

profile.JPG

System will allow to create/change

Now check with Other project Profile:

profile.JPG

Now system generate Error Message for Authorization.

Hope, this will Help a lot.

Enjoy SAP..

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. Krishna Raj Pattath Sankaran

    Hi Sunil,

    This was really helpful.

    Quick question on this, so this custom auth object can be used in any other transaction where WBS is being used?

    For eg, for CJR2 Tcode where planning is done for WBS and cost element, can I use this custom object so it would restrict only WBS with a certain profile?

    Or is this custom object applicable to only CJ20N/Project creation t-code?

    Regards,

    Krishna

    (0) 
    1. Sunil Yadav Post author

      thanks Krishna 🙂

      this particular object is for CJ20N but you can ask Technical to enhance this to other TCODES as well.

      (0) 
  2. sanjeev chauhan

    Hi Sunil,

    document is pretty nice with the help of this user can know like how authorization object create and work in sap system.

    keep it up 🙂

    Regards,

    sanjeev

    (0) 

Leave a Reply