topic Re: Authorization object and Authorization group in Application Development and Automation Discussions

Authorization object and Authorization group

Former Member — Fri, 06 Apr 2007 11:08:37 GMT

Hi All,

I want to know the difference b/w Authorization object and Authorization group.

What happens when an Authorization Group is assigned in the Program Attributes and what is the difference b/w this and using Authority-check in the Program.

Regards,

Divya.

Re: Authorization object and Authorization group

Former Member — Fri, 06 Apr 2007 11:25:52 GMT

Hi,

Look at the below link, you will get the answer

http://www.sap-img.com/human/structural-authorization-vs-role-authorization.htm

Regards

Sudheer

Re: Authorization object and Authorization group

Former Member — Fri, 06 Apr 2007 11:26:29 GMT

Press f1 on the Field Authority Group in the Program Attributes to get to know what that field does:

<b>"Authorization Group

Authorization group to which the program is assigned.

The assignment of a program to an authorization group plays a role when the system checks whether the user is authorized to:

Execute a program

--> Authorization object S_PROGRAM

Edit a program (-Include) in the ABAP Workbench

--> Authorization object S_DEVELOP

Programs that are not assigned to an authorization group are not protected against display and execution.

Security-related programs should, therefore, always be assigned to an authorization group.

Report RSCSAUTH can also be used to assign programs to authorization groups. This report is documented in detail.</b>

Read this link for more info:

http://help.sap.com/saphelp_erp2005/helpdata/en/9f/dbaccb35c111d1829f0000e829fbfe/frameset.htm

Regards,

Ravi

Re: Authorization object and Authorization group

Former Member — Fri, 06 Apr 2007 11:27:41 GMT

Hi Divya,

Check this documentation.

To Assign Authorization Group

The Authorization group can be created as follows

Transaction SE54 ~~>Select 'Authorization Groups'~~>Create/Change-->New Entries.

Now the authorization group created can be assigned to your table.

When you doesn't want the every user to access the Object developed you have to restrict the user , so you create an authorization object for an orgn unit and provide values like Create/change /display(01,02,03 for ACTVT field).

In general different users will be given different authorizations based on their role in the orgn.

We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.

USe SUIM and SU21 T codes for this.

Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.

If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.

This means you have to allocate an authorization object in the definition of the transaction.

For example:

program an AUTHORITY-CHECK.

AUTHORITY-CHECK OBJECT <authorization object>

ID <authority field 1> FIELD <field value 1>.

ID <authority field 2> FIELD <field value 2>.

...

ID <authority-field n> FIELD <field value n>.

The OBJECT parameter specifies the authorization object.

The ID parameter specifies an authorization field (in the authorization object).

The FIELD parameter specifies a value for the authorization field.

The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.

http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm

Hope this resolves your query.

Reward all the helpful answers.

Regards

Re: Authorization object and Authorization group

Former Member — Fri, 06 Apr 2007 11:29:37 GMT

Structural Authorization vs Role Authorization

What is the difference between sturctural Authorization and Role Authorization. In what situation we need to maintain the Structural Authorization? For Role Authorization, we maintain it in PFCG. Where and how do we maintain Structural Authorization?

The role authorisation is used for regular authorisation. for example Transaction codes : PA20, PR20, CAT2,CADO, PPMDT, PR05 - It is done based on role assigned by Basis group.

The user id mentioned in IT 0105 is assigned to the TC PFCG

The structural authorisation is typically belongs to HR module. It has both benefits of positive and negative tests.

Steps to do Structural Authorisation:

Step1 : TC OOAC

Activate the Structural Authorisation switch

Step 2 : TC OOSP

Create Structural Authorisation profiles

Step 3 : Assign Structural Authorisation profile to user Id

TC : SE38 and assign report RHRPROFL0 enter object id for example ( Org unit )

Assign regular Role authorisation..

Role Authorization can be set on all Master Data Infotypes i.e. HR/Planning/Payroll/Tcode etc.

Structural Authorizations can be set for the administrator who is involved in different evaluations/accessing structures whether in OM/PD/TE etc. Ex ; Creating, Maintaining, delecting objects in structures. You have to run Report RHPROFL0 to generate Structural Authorizations and they are stored in PD Profile IT i.e. 1017.

If you are manually maintaning more than one S.Authorization profile for a position, you can use 1016 IT also.

For customization see IMG under OM-> Structural authorization. There are many criterias to be considered while creating Structural Authorization profile.

I noticed that in IT1016, we are assign the profile > at the position or org unit level while in PFCG, we assign it at the person level..the the user ID. Does that mean that in Structural Authorization, anyone that hold the position will have the same authorization? Can Structural Authorization stand alone without any role authorization?

Role authorisation is only for ITs access. Same way Structural authorization is only for Structures access..

Ex. An administrator who is supposed to access all employees in own department, role authorization will not help because Org Unit is an Object correct, so you need to use structural authorization...

Ex. If the same administrator is supposed to access all employees based on Ent.Strucutre/Pers.Stru. criterias, role authorization alone sufficient.

Ex. If the same administrator is supposed to access all employees in his own department but not managerial level, then you need both authorizations i.e. role and structural...

An administrator can be assigned both authorizations to access ITs and Objects...

Authorizations (both)can be assigned directly to the position (which is called Indrect Role Assignment) so that they will be assigned to the User automatically whoever occupies.. we donot need to generate each and everytime the user changes..