topic Re: Authorization for Specific tables in Application Development and Automation Discussions

Authorization for Specific tables

former_member219162 — Tue, 23 May 2006 19:15:23 GMT

Hi,

I have the following requirement. Suggestion or help will be greatly appreciated.

Two of the business users has to be given permission to execute SE16 transaction, but their access will be limited to two tables CATSDB and PA2010. That is the user would only be able to view these two tables.

Please provide a detailed step for doing this.

Is it possible to achieve the same functinality using custom transaction ? If so how ? (These two tables does not have a Maintanance View and they are standard tables).

Regards,

Anirban

Re: Authorization for Specific tables

Former Member — Tue, 23 May 2006 19:22:27 GMT

You cannot restrict SE16 to specific tables. You have to create your own transaction.

Create an authorization object that takes a table name as one of its fields and may be activity also.

Write a small program that takes in the table name as input. Check for the new authorization object that you created upfront and check if the user has display authorization for the table entered in the selection screen. If the authorization check succeeds, then call function module RS_TABLE_LIST_CREATE passing the table name obtained from selection screen. This will take them to the SE16 selection screen for that table.

Regards,

Srinivas

Re: Authorization for Specific tables

RichHeilman — Tue, 23 May 2006 19:25:06 GMT

How about creating simple infosets and queries in SQ02 and SQ01. You can create an infoset for each table, then use these infosets in a query, include whatever selection that you want, and show the data in ALV grids. This way, user does not need access to SE16, and they can only run the queries that are assigned to them.

Regards,

Rich Heilman

Re: Authorization for Specific tables

former_member181966 — Tue, 23 May 2006 19:27:07 GMT

You can use the object :S_TABU_DIS

Also look at

http://www.sapgenie.com/basis/Security%20upgrade%20white%20paper.htm

http://www.thespot4sap.com/Articles/SAP_BC_Authorization_Concept.asp

Tables

SAP is characterized by the use of thousands of application and control tables. The setup of the control tables, to a large extent, determines in which way a SAP installation functions.

Logical views provided by the ABAP/4 Dictionary of all data (control data, master data, and transaction data) stored in SAP system.

All control tables start with the letter “T”.

Control tables can be displayed and maintained on-line. Menu Path: System - Services - Table Maintenance. In order to restrict tables a number of table authorization classes should be defined. All standard tables have been assigned to authorization classes. Authorization object, Table Maintenance is used to maintain the tables in each authorization class. Two levels of access are allowed value = 02 (add, change, or delete) and 03 (display only).

To modify a table structure Menu Path: Tools - CASE - Development - Data Dictionary - Maintenance.

Logging of changes can be accomplished by using change document objects to specify which tables are logged and the level of logging performed on each table.

The SAP Authorization Concept

Authorization checks are a means of protecting functions or objects in the R/3 System. The programmer of the function determines where and how these checks are made, while the user administrator determines (within the framework defined by the programmer) who can execute a function or access an object.

The terms central to the SAP authorization concept are:

Authorization field

This is the smallest unit against which checks can be made. The programmer can create authorization fields by selecting Tools → ABAP Workbench → Development → Other tools → Authorization objs → Fields.

Example: ACTVT and CUSTTYPE.

Authorization object

An authorization object groups together 1 to 10 authorization fields which can then be checked as a combination. The programmer can create authorization fields by selecting Tools → ABAP Workbench → Development → Other tools → Authorization objs → Objects.

Example: The authorization objekt S_TRVL_BKS groups together the authorization fields ACTVT and CUSTTYPE.

Authorization

An authorization is a combination of permitted values for each authorization field of an authorization object. The user administrator creates authorizations by selecting Tools → Administration → Maintain users → Authorization.

Example:

S_TRVL_CUS1 is an authorization for the authorization object S_TRVL_BKS with the values

for customer type (CUSTTYPE) and

02 for activity (ACTVT).

Users who have this authorization are allowed to change the bookings of all customers.

S_TRVL_CUS2 is an authorization for the authorization object S_TRVL_BKS with the values

B for customer type (CUSTTYPE) and

03 for activity (ACTVT).

Users who have this authorization are allowed to display the postings of all customers.

Authorization profile

An authorization profile represents a simple workplace in the context of authorizations. An authorization profile contains authorizations for the authorization objects a user needs to operate effectively in a restricted task area. The user administrator creates authorizations by selecting Tools → Administration → Maintain users → Profiles.

User master record

Your user master record is checked when you logon to the R/3 system. Through the authorization profiles, this provides restricted access to the functions and objects of the R/3 System. The user administrator creates authorizations by selecting Tools → Administration → Maintain users → Users.

Authorization check

The programmer can perform authorization checks with the ABAP command AUTHORITY-CHECK by specifying the value to be checked for each authorization field defined. The system then scans the profiles in the user master record for the authorizations specified. If one of the authorizations found for all fields of the authorization object covers the values specified by AUTHORITY-CHECK, the check was successful.

Example: Check whether the user is allowed to change the postings of business customers:

AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'

ID 'ACTVT' FIELD '02'

ID 'CUSTTYPE' FIELD 'B'.

IF SY-SUBRC <> 0.

MESSAGE E...

ENDIF.

If the authorization S_TRVL_CUS1 exists in the user's master record, the authorization check is successful. However, if the authorization S_TRVL_CUS2 exists, but not the authorization S_TRVL_CUS1, the check fails.

Authorization assignment

The system administrator is responsible for assigning user master records with the correct authorizations. You should use the Profile Generator to maintain authorization profiles. However, you can also change them manually. Each authorization object contains authorizations. These are grouped together in authorization profiles such that each authorization profile represents a job description, for example 'flight reservations clerk'. You assign one or more authrization profiles to each user master record. You can assign an authorization to as many authorization profiles as you like, and an authorization profile to as many composite profiles and users as you like. Composite profiles are used in manual authorization maintenance, and form a further division in the authorization structure. However, they are not strictly necessary.

User master record

/ ... \

/ \

Auth. profile Composite auth. profile

/ .. \ / .. \

/ \ / \

Authorization Auth. profile

/ / ... \

/ / \

Values Authorization

Values

Hope this’ll give you idea!!

P.S award the points.

Good luck

Thanks

Saquib Khan

"Some are wise and some are otherwise"

Re: Authorization for Specific tables

Former Member — Tue, 23 May 2006 19:28:52 GMT

Saquib,

S_TABU_DIS does not take a table name as input. So you cannot specifically check if a user has display access to a particular table.

Re: Authorization for Specific tables

former_member181966 — Tue, 23 May 2006 19:33:00 GMT

Yes you are right , its just check "02"03" Etc . I’m also investigating other options . As You can control on the basis of TR.SE11 but still you can by pass it by using SE16.

Let me look in to that .

Re: Authorization for Specific tables

former_member181966 — Tue, 23 May 2006 19:38:19 GMT

Try to use the object :

Authorization Obj. : S_DEVELOP

with values :

DEVCLASS

OBJTYPE TABL

OBJNAME AGR_1251 ( Table name )

P_GROUP

ACTVT 02

You can use Tr.ST01 to trace authorization .

Hope this’ll give you idea!!

P.S award the points.

Good luck

Thanks

Saquib Khan

"Some are wise and some are otherwise"

Re: Authorization for Specific tables

Former Member — Tue, 23 May 2006 19:44:59 GMT

Again Saquib, sorry to bother you, but this is for checking if the user has display access(or change or create of course) to the structure of the table not the contents of the table.