7/30/2019 ABAP Session 3_4-Authorizations

1/11

7/30/2019 ABAP Session 3_4-Authorizations

2/11

AUTHORITY-CHECK You can use this statement at run time to check whether the user.

7/30/2019 ABAP Session 3_4-Authorizations

3/11

Is the user authorized to call the transaction?

The authorization object S_TCODE (call transaction) contains the field TCD (transaction code). Theuser must have an authorization with a value for the selected transaction code.

Authority Check: In the program, the programmer specifies an authorization object and therequired values for each authorization field.

It then searches in the specified authorization profile in the user master record to seewhether the user has authorization for the authorization object specified in the command.

If the authorization is found and it contains the correct values, the check is successful.

7/30/2019 ABAP Session 3_4-Authorizations

4/11

Auth ori zation Fiel ds: represent the values to be tested during authorization checks. This is the smallest unit againstwhich checks can be made.

To create authorization fields, choose Tools ->ABAP Workbench ->Development -> Other tools ->Authorizationobjects -> Fields OR Tcode SU20

To create a authorization field:

1. Choose Create authorization field.

2. On the next screen, enter the name of the field. Field names must be uniqueand must begin with the letter Y or Z.

3. Assign a data element from the ABAP Dictionary to the field.

Authorization objects : An authorization object groups together 1 to 10 authorization fields which can then bechecked as a combination

create authorization fields by selecting Tools ABAP Workbench Development Other tools Authorizationobjs Objects

Eg: F_BKPF_BUK

Object class: Authorization objects are divided into classes for comprehensibility. An object class correspondse.g. to an application (Financial accounting, etc.)

The SAP authorization concept object classes are under Tools -> Administration -> User maintenance ->Authorizations or go to transaction SU21

Authorizations: An authorization is a combination of permitted values for each authorization field of an

create authorizations by selecting Tools Administration Maintain users Authorization.

Profile: User authorizations are grouped together in authorization profiles and not usually assigned directly to usermaster records

You can create profiles manually, but you should use the Profile generator (Tcode - PFCG)

Roles: Various Profiles are grouped together to form Roles that are usually assigned to the User master (Tcode -PFCG)

User Master Record:These enable the user to log onto the SAP System and allow access to the functions andobjects in it within the limits of the specified authorization profiles

7/30/2019 ABAP Session 3_4-Authorizations

5/11

7/30/2019 ABAP Session 3_4-Authorizations

6/11

Explanation of the previous slides color codes

7/30/2019 ABAP Session 3_4-Authorizations

7/11

7/30/2019 ABAP Session 3_4-Authorizations

8/11

7/30/2019 ABAP Session 3_4-Authorizations

9/11

7/30/2019 ABAP Session 3_4-Authorizations

10/11

Create the above mentioned objects in the order specified

7/30/2019 ABAP Session 3_4-Authorizations

11/11

Author izat ion check

The programmer can perform authorization checks with the ABAP commandAUTHORITY-CHECK by specifying the value to be checked for each authorization field defined. Thesystem then scans the profiles in the user master record for the authorizations specified. Ifone of the authorizations found for all fields of the authorization object covers the valuesspecified byAUTHORITY-CHECK, the check was successful.

Example: Check whether the user is allowed to change the postings of business customers:

If the authorizationF_BKPF_BUK exists in the user's master record, the authorization check issuccessful.