What is the use of Authorization Checks

To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.

The following actions are subject to authorization checks that are performed before the start of a program or table maintenance and which the SAP applications cannot avoid:

  • Starting SAP transactions (authorization object S_TCODE)
  • Starting reports (authorization object S_PROGRAM)
  • Calling RFC function modules (authorization object S_RFC)
  • Table maintenance with generic tools (S_TABU_DIS)
In coming posts, we will see how to add authorization checks for Reports and transactions.

Purpose of assigning authorization groups for tables:

  • You can assign authorization groups to tables to avoid users accessing tables using general access tools (such as transaction SE16). A user requires not only authorization to execute the tool, but must also have authorization to be permitted to access tables with the relevant group assignments. For this case, we deliver tables with predefined assignments to authorization groups. The assignments are defined in table TDDAT; the checked authorization object is S_TABU_DIS.
Now we will see how to assign/create authorization group for a table:

Go to SE54, Give the table name and choose authorization group and then click on create/change. You can create an authorization group.

Example:
You can assign a table to authorization group Z001. (Use transaction SM30 for table TDDAT) A user that wants to access this table must have authorization object S_TABU_DIS in his or her profile with the value Z001 in the field DICBERCLS (authorization group for ABAP Dictionary objects).

Authorization Check:

In the earlier post, we came to know the importance of authorization check in real time environment. We know how to check authorization for table maintenance. 

Now we will see how to check authorization for Reports, Transactions, RFC function modules.

The following actions are subject to authorization checks that are performed before the start of a program or table maintenance and which the SAP applications cannot avoid:

  • Starting SAP transactions (authorization object S_TCODE)
  • Starting reports (authorization object S_PROGRAM)
  • Calling RFC function modules (authorization object S_RFC)
  • Table maintenance with generic tools (S_TABU_DIS)
The authorization objects S_TCODE, S_PROGRAM, S_RFC, and S_TABU_DIS are standard SAP provided.

Creating a new authorization object is not in the scope of ABAP developer. It will be taken care by SAP BASIS team.

To add authorization check to your program, you need to add the following code in your report. Imagine that you have created a transaction code for your report, then 
you should use the authorization object S_TCODE to check the authorization.

You can place the code in initialization event.

*Initialization
INITIALIZATION.
AUTHORITY-CHECK OBJECT 'S_TCODE'
ID 'TCD' FIELD 'ZEXAMPLE'.

IF sy-subrc <> 0. "Not Authorized
MESSAGE e003(ZZ) WITH 'TCD' 'ZEXAMPLE'.
ENDIF.

ABAP Books List
ABAP/4 Certification, Programming, Smartforms, Sapscripts and Object Oriented Programming Books

Smart Forms
SAP Smartforms

ABAP Menu:
ABAP Example Hints and Tips

Return to Index:-
SAP ABAP/4 Programming, Basis Administration, Configuration Hints and Tips

(c) www.sap-basis-abap.com All material on this site is Copyright.
Every effort is made to ensure the content integrity.  Information used on this site is at your own risk.
All product names are trademarks of their respective companies.  The site www.sap-basis-abap.com is in no way affiliated with SAP AG.
Any unauthorised copying or mirroring is prohibited.