如何设计和使用自定义的权限对象(自定义权限检查函数)

在sap扩展中用户往往都需要使用自己的权限对象，为了达到次目的，请按下列步骤建立和维护权限对象

1、Create an Anthorization Field（SU20）创建权限对象字段（存储在AUTHX表中）

2、Create an Authorization Object（SU21) 创建权限对象 
创建权限对象类别（存储在TOBCT表中）
点击对象类别创建权限对象（存储在TOBJ表中），生成SAP_ALL

3、Assign an Authorization Object to an Object Class(SU02或PFCG)

4、权限赋值关系图

                        user  master record
                        /  ..............................\
            auth. profile              Composite auth. profile
              /.................\                      /                  \
             /                   \                    /                    \
  Authorization                                            Auth. Profile
     /                                                               /.................\          

5、Call "Authorith-Check" in Program  to Check Authorization.

这是我编写针对具体权限对象替代Authorith-Check的函数

form zcustcheckauth using  value(z_vkbur) like vbak-vkbur
                     z_return type i.
data: wa_ust12 like ust12.
data: bgetsubfile(1) type c.
data: begin of db_file occurs 10,
         profile like ust04-profile,
         typ     like usr10-typ,
      end of db_file.

data: begin of mid_db_file occurs 10,
         profile like ust04-profile,
         typ     like usr10-typ,
      end of mid_db_file.

data: begin of db_file_end occurs 10,
         profile like ust04-profile,
      end of db_file_end.

data: begin of db_auth occurs 10,
         objct like ust10s-objct,
         auth like ust10s-auth,
      end of db_auth.

   z_return = 4.
   select ust04~profile usr10~typ
     into corresponding fields of table db_file
     from ust04
       inner join usr10 on usr10~profn = ust04~profile
         and usr10~aktps = 'A'
   where ust04~bname = sy-uname.

   refresh mid_db_file.
   clear mid_db_file.
   loop at db_file.
      if db_file-typ <> 'C'.
        db_file_end-profile = db_file-profile.
        append db_file_end to db_file_end.
      else.
        bgetsubfile = 'X'.
        append db_file to mid_db_file.
      endif.
   endloop.
   refresh db_file.
   clear db_file.

   while bgetsubfile = 'X'.
     bgetsubfile = space.
     select ust10c~subprof as profile usr10~typ
       into corresponding fields of table db_file
     from ust10c
       inner join usr10 on usr10~profn =  ust10c~subprof
         and usr10~aktps = 'A'
     for all entries in mid_db_file
     where ust10c~profn = mid_db_file-profile.

     refresh mid_db_file.
     clear mid_db_file.
     loop at db_file.
      if db_file-typ <> 'C'.
        db_file_end-profile = db_file-profile.
        append db_file_end to db_file_end.
      else.
        bgetsubfile = 'X'.
        append db_file to mid_db_file.
      endif.
     endloop.
     refresh db_file.
     clear db_file.
   endwhile.

   select objct auth into corresponding fields of table db_auth
   from ust10s
   for all entries in db_file_end
   where ust10s~aktps = 'A' and ust10s~profn = db_file_end-profile.

   select von bis into corresponding fields of wa_ust12
     from ust12
     for all entries in db_auth
     where ust12~aktps = 'A' and ust12~field = 'VKBUR'
       and ust12~objct = db_auth-objct
       and ust12~auth = db_auth-auth.

     if ( wa_ust12-bis ne space ).
        if ( z_vkbur ge wa_ust12-von ).
          if ( z_vkbur le wa_ust12-bis ).
            z_return = 0.
            exit.
          endif.
        endif.
     elseif ( z_vkbur = wa_ust12-von ).
       z_return = 0.
       exit.
     elseif ( '*' = wa_ust12-von ).
       z_return = 0.
       exit.
     endif.
   endselect.
endform.
调用的方法

*&---------------------------------------------------------------------*
*&      Form  USEREXIT_CHECK_VBAK
*&---------------------------------------------------------------------*
*                                                                     *
*       This Userexit can be used to add additional logic for         *
*       checking the header for completeness and consistency.         *
*                                                                     *
*       US_DIALOG  -  Indicator, that can be used to suppress         *
*                     dialogs in certain routines, e.g. in a          *
*                     copy routine.                                   *
*                                                                     *
*       This form is called from form VBAK_PRUEFEN.                   *
*                                                                     *
*---------------------------------------------------------------------*
form userexit_check_vbak using us_dialog.
*{   INSERT         DEVK901354                                        1
 data: z_s_vkbur like knvv-vkbur.
 data: z_auth_check type i value 4.
 if sy-tcode = 'VA01' or
    sy-tcode = 'VA02'.
   authority-check object 'V_VBKA_VKO'
                 id 'VKORG' dummy
                 id 'VTWEG' dummy
                 id 'SPART' dummy
                 id 'VKBUR' field vbak-vkbur
                 id 'VKGRP' dummy
                 id 'KTAAR' dummy
                 id 'ACTVT' dummy.
   if  sy-subrc ne 0.
     message e900(zdev).
   endif."不能创建非主管商家订单
   if sy-tcode eq 'VA01'.
     select single vkbur into z_s_vkbur
     from knvv
     where knvv~kunnr =  vbak-kunnr
       and knvv~vkorg =  vbak-vkorg
       and knvv~vtweg =  vbak-vtweg
       and knvv~spart =  vbak-spart
       and knvv~vkbur =  vbak-vkbur.
     if sy-subrc ne 0.
       message e001(zdev).
     endif.
   endif.
 else.
   perform zcustcheckauth using vbak-vkbur z_auth_check.

   if  z_auth_check ne 0.  "如果没有权限,取当前商家主管销售组
     select single vkbur into z_s_vkbur
     from knvv
     where knvv~kunnr =  vbak-kunnr.
     if sy-subrc ne 0.
       message e001(zdev).
     endif.    "检查当前商家主管销售组是否在用户权限内
     z_auth_check = 4.
     perform zcustcheckauth using z_s_vkbur z_auth_check.
     if z_auth_check ne 0.
       message e900(zdev).
     endif.
  endif.
 endif.
*}   INSERT

endform.