Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

authorization to control access to specific directory in AL11

Go to solution
siongchao_ng
Contributor

‎06-09-2021 10:21 AM

0 Kudos

Hi all,

I want to control specific user to read/write in AL11

Name of directory: \\sysld01\usr\interface\ATS\INBOUND\ASSET\DATA

Where and how do I do that?

Please give clear step by step procedure to do this.

Someone said go to SU21 change the authorization object S_DATASET but it dont have any fields for me to specify which users or specific file path. If change that directly in SU21, it will hit all users and all file paths in AL11

1 ACCEPTED SOLUTION

Go to solution
siongchao_ng
Contributor

‎06-10-2021 10:58 AM

Finally solve this problem! Here is the solution. Tested.

  • 1.Create a dummy user. ZTEST1. Password = Welcome123456
  • 2.Copy the ZSUP_FI_DISPLAY_ITSS_TEST role into ZFI_ASSET_SERVER_ATS_INBOUND
  • 3.Amend the ZFI_ASSET_SERVER_ATS_INBOUND role authorization object S_DATASET let say only allow delete so user ztest1 cannot read/write
  • 4.Assign this role to user ztest1

Log in as user ztest1

User ztest1 cannot read the file with error message below.

12 REPLIES 12

Go to solution
TammyPowlas
Active Contributor

‎06-09-2021 10:28 AM

Hello- the best and easiest thing to do is run an STAUTHTRACE transaction while accessing the directory. That will provide all the authorizations needed.

Go to solution
siongchao_ng
Contributor
In response to TammyPowlas

‎06-09-2021 10:53 AM

0 Kudos

found its s_dataset authorization object.

Example: I want user Ali to only able to read files inside \\sysld01\usr\interface\ATS\INBOUND\ASSET\DATA

So how is the example given is applicable here?

Preview file
71 KB

Go to solution
FredericGirod
Active Contributor

‎06-09-2021 10:34 AM

0 Kudos

A good friend, is transaction SU24, if it has been correctly maintained, you will find all authorization object by transaction

Go to solution
siongchao_ng
Contributor
In response to FredericGirod

‎06-09-2021 10:50 AM

0 Kudos

frdric.girod

I dont get it. what am i supposed to here?

Example: I want user Ali to only able to read files inside \\sysld01\usr\interface\ATS\INBOUND\ASSET\DATA

So how is the example given is applicable here?

Preview file
39 KB
Preview file
44 KB

Go to solution
raymond_giuseppi
Active Contributor

‎06-09-2021 10:45 AM

SAP advise against the 'use of S_DATASET to control general access rights to files from ABAP, or user-dependent authorization checks.' So:

  • Look at table SPTH to assign some authorization group to directories.
  • The authorization object S_PATH handles authorization to groups.

Go to solution
siongchao_ng
Contributor
In response to raymond_giuseppi

‎06-09-2021 11:08 AM

0 Kudos

raymond.giuseppi

Example: I want user Ali to only able to read files inside \\sysld01\usr\interface\ATS\INBOUND\ASSET\DATA

sy-subrc forever 0. and it cannot solve the example above. Where to restrict Ali?

no any effect.

AUTHORITY-CHECK OBJECT 'S_PATH'
ID 'FS_BRGRU' FIELD 'RCCG'
ID 'ACTVT' FIELD '02'.
IF sy-subrc <> 0.
* Implement a suitable exception handling here

ENDIF.

Go to solution
raymond_giuseppi
Active Contributor
In response to raymond_giuseppi

‎06-09-2021 11:36 AM

0 Kudos

Don't add an authority-check statement in code, it will be automatically performed by Dataset statements.

  • Use the search link provided to read online help
  • Look at current records of the table SPTH, add a record with the directory, assign a code for group and set SAVEFLAG to X.
  • Create roles (PFCG) allowed or not with the directory group
  • Assign roles to user (SU01)

Which steps did you already performed, could you paste the SPTH table (only records related to this question)

Also execute SU53 or a trace to understand any unexpected result.

Go to solution
siongchao_ng
Contributor
In response to raymond_giuseppi

‎06-10-2021 2:52 AM

0 Kudos

raymond.giuseppi

This is the entry in SPTH i created. I am only allowed to enter RCCG authorization group to save the entry. There is no other allowable entry.

created the pfcg as well

Let say I dont want user NGSC to able to read files in \\sysld01\usr\interface\ATS\INBOUND\ASSET\DATA

So I didnt asign these created role to NGSC and guess what? NGSC still able to goto the path \\sysld01\usr\interface\ATS\INBOUND\ASSET\DATA and read all the files inside.

So what is the wrong steps detailed above?

Preview file
24 KB
Preview file
21 KB

Go to solution
raymond_giuseppi
Active Contributor
In response to raymond_giuseppi

‎06-10-2021 8:48 AM

  1. You can create new groups in table SPTHB (this table is the value table of the domain FS_BRGRU associated with the authorization field.
  2. Execute a trace or use SU53 on this user to identify some unwanted authorizations (e.g. already allowed to group RCCG or even every group with * value in another role)
  3. 2459510 - FAQ: Authorization check with S_PATH when accessing files describes the authorization-check process.
  4. I'm too old, remove the SAVE flag (seems now obsolete) 

Go to solution
Sandra_Rossi
Active Contributor

‎06-09-2021 11:07 AM

0 Kudos

Your requirement is not clear: should this one user access or not access this directory? And not access other directories at all?

Authorization concept is a one week training, I'm not sure how we can sum up it here in a few sentences...

  • Users are assigned roles (SU01)
  • Roles are assigned authorizations (PFCG; objects S_DATASET, etc.)
  • Authorizations are only appended, they cannot be removed: once an authorization is given in one role, it's impossible for another role to deactivate that authorization.

Go to solution
siongchao_ng
Contributor

‎06-09-2021 11:14 AM

0 Kudos

sandra.rossi

Example: I want user Ali to only able to read files inside \\sysld01\usr\interface\ATS\INBOUND\ASSET\DATA

So how do I go about it with this given user Ali and filepath \\sysld01\usr\interface\ATS\INBOUND\ASSET\DATA

The rest of the world means cannot read the file inside.

Go to solution
siongchao_ng
Contributor

‎06-10-2021 10:58 AM

Finally solve this problem! Here is the solution. Tested.

  • 1.Create a dummy user. ZTEST1. Password = Welcome123456
  • 2.Copy the ZSUP_FI_DISPLAY_ITSS_TEST role into ZFI_ASSET_SERVER_ATS_INBOUND
  • 3.Amend the ZFI_ASSET_SERVER_ATS_INBOUND role authorization object S_DATASET let say only allow delete so user ztest1 cannot read/write
  • 4.Assign this role to user ztest1

Log in as user ztest1

User ztest1 cannot read the file with error message below.