USR12 Authorization values

Question: I'm trying to understand the authorization values field in USR12.

I can identify the field names that the authorization object is refering to, but am unsure what the other values are?

e.g.
M F0045C02ACTVT V02B06E09E23E43V60B61E65E78F0038C04TTYPE ECUSTEDTRAEMOVEETRAN

The field names are "ACTVT " and "TTYPE "

TIA

Answer:
You need the SAP code to decypher the "encrypted" code.


"M F0045C02ACTVT V02B06E09E23E43V60B61E65E78F0038C04TTYPE ECUSTEDTRAEMOVEETRAN "

In the record the leading 'M' means modified, the rest of the letters and numbers tell SAP what to do with the next set of numbers the 'F' is to define the field name, 'E' = Individual value
'G' Generic value
'V' beginning of interval, etc

The code to decypher this is
FORM READ_USR12 USING VALUE(OBJECT) VALUE(AUTH) VALUE(AKTPAS) RC.
DATA: INTFLAG TYPE I VALUE 0,
OFF TYPE I,
VTYP,
LNG TYPE I,
CLNG(2),
GLNG(2).
*
CLEAR USR12.
RC = 0.
IF AKTPAS = AKTIVATED OR AKTPAS = INWORK.
SELECT SINGLE * FROM USR12 "Expl. Aktiv- od. Pflegeversion
WHERE OBJCT = OBJECT
AND AUTH = AUTH
AND AKTPS = AKTPAS.
ELSE.
SELECT SINGLE * FROM USR12 "Wenn nicht, dann zuerst Pflege-
WHERE OBJCT = OBJECT
AND AUTH = AUTH
AND AKTPS = INWORK.
IF SY-SUBRC <> 0.
SELECT SINGLE * FROM USR12 "Nicht vorh., dann Aktivv. lesen
WHERE OBJCT = OBJECT
AND AUTH = AUTH
AND AKTPS = AKTIVATED.
ENDIF.
ENDIF.
IF SY-SUBRC = 0.
SETFILL = 0.
REFRESH TABSET.
CLEAR TABSET.
OFF = 2.
* Werte aufschluesseln und in die int. Tab. tabset laden
ASSIGN USR12-VALS+OFF(1) TO .
WRITE TO VTYP.
* Var. Teil bis zum FF (= Endezeichen) lesen
WHILE VTYP <> ' ' AND OFF < USR12-LNG.
OFF = OFF + 1.
* vtyp steht fuer Schluessel, ob es sich um Feldnamen, Einzelwert,
* Anfang Intervall oder Ende Intervall handelt.
CASE VTYP.
WHEN 'F'. "Feldname
OFF = OFF + 5.
ASSIGN USR12-VALS+OFF(2) TO .
WRITE TO CLNG.
LNG = CLNG.
IF LNG <= 0.
RC = 1.
EXIT.
ENDIF.
OFF = OFF + 2.
ASSIGN USR12-VALS+OFF(FLDLNG) TO .
WRITE TO TABSET-SFIELD.
OFF = OFF + FLDLNG.
WHEN 'E'. "Einzelwert
ASSIGN USR12-VALS+OFF(LNG) TO .
WRITE TO TABSET-VON.
IF TABSET-VON = SPACE.
TABSET-VON = ''' '''. "Blank als Value zugelassen
ENDIF.
APPEND TABSET.
SETFILL = SETFILL + 1.
TABSET-VON = SPACE.
TABSET-BIS = SPACE.
OFF = OFF + LNG.
WHEN 'G'. "generischer Wert
ASSIGN USR12-VALS+OFF(2) TO .
WRITE TO CLNG.
GLNG = CLNG.
OFF = OFF + 2.
ASSIGN USR12-VALS+OFF(LNG) TO .
IF INTFLAG = 0.
WRITE TO TABSET-VON.
WRITE '*' TO TABSET-VON+GLNG.
ELSE.
WRITE TO TABSET-BIS.
WRITE '*' TO TABSET-BIS+GLNG.
INTFLAG = 0.
ENDIF.
APPEND TABSET.
SETFILL = SETFILL + 1.
TABSET-VON = SPACE.
TABSET-BIS = SPACE.
OFF = OFF + LNG.
WHEN 'V'. "Anfang Intervall
INTFLAG = 1.
ASSIGN USR12-VALS+OFF(LNG) TO .
WRITE TO TABSET-VON.
IF TABSET-VON = SPACE. "Blank als Value zugelassen
TABSET-VON = ''' '''.
ENDIF.
OFF = OFF + LNG.
WHEN 'B'. "Ende Intervall
INTFLAG = 0.
ASSIGN USR12-VALS+OFF(LNG) TO .
WRITE TO TABSET-BIS.
IF TABSET-BIS = SPACE. "Blank als Value zugelassen
TABSET-BIS = ''' '''.
ENDIF.
APPEND TABSET.
SETFILL = SETFILL + 1.
TABSET-VON = SPACE.
TABSET-BIS = SPACE.
OFF = OFF + LNG.
ENDCASE.
ASSIGN USR12-VALS+OFF(1) TO .
WRITE TO VTYP.
ENDWHILE.
ELSE.
RC = SY-SUBRC.
ENDIF.
ENDFORM.
_________________
John A. Jarboe

Answer:
Thank you for that - that is exactly what I needed.

This however leads me to another question.

The code basically gives me something similar to table UST12.

I guess in part my question is, what to the "values" mean e.g.
09, 23, 43 for object field "ACTVT" and
CUST, DTRA, MOVE, TRAN for object field "TTYPE"

To give a bit more background in what I'm trying to do...
Given a transaction code (e.g.SE01) I'm trying to work out who is authorised to run the transaction. So if I run transaction "TSTCA" with a TCODE of "SE01" it returns two entries:

TCODE OBJCT FIELD VALUE
SE01 S_TRANSPRT ACTVT 03
SE01 S_TRANSPRT TTYPE



I can then go through a process of mapping the data through tables USR12->USR10->USR04->USR02 to find the authorised users, but I don't
understand is how authorisation objects returned by "TSTCA" map to authorisation objects in UST12 (or ultimately USR12). How do I test if a authorisation object in UST12 meets the requirements (other than object name and field names matching) - I guess the values have a meaning.

I know there are reports in SAP to do this for you, but I have to do this external to SAP through tables.

TIA

Answer:
TSTCA table is useless since the advent of authorization object S_TCODE in version 3.0. It is in effect a double tcode start check and the values should be deleted. You MUST have the access in the TSTCA table before the tcode will start and show the first screen, sam thing S_TCODE does.

UST12 is a "text" version of USR12 only desperatley wrought with errors. Unless you write a program to periodically sync the USTxx tables to the USRxx tble the data in UST12 is less than accurate and gets worse as time goes on.

THE ACTVT values are in table TACT and the ones applicable to the authorization object in question are in TACTZ.

Report RSUSR010 give you what you want, but it cannot tell you if the user can COMPLETE the tcode, only start it.

SU24 and a look at the user's role in PFCG will give you a 85% probability (Based on SAP delivered SU24) of whether the user can complete the tcode.