topic regarding the authorization object in Application Development and Automation Discussions

regarding the authorization object

Former Member — Wed, 08 Aug 2007 04:49:58 GMT

hi,

cany any one tell me about authorization object.

thanks in advance

Re: regarding the authorization object

Former Member — Wed, 08 Aug 2007 04:54:07 GMT

Hi,

If you use the profiles of the user who has authorization, then you can use that Transaction see the doc:

In general different users will be given different authorizations based on their role in the orgn.

We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.

USe SUIM and SU21 T codes for this.

Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.

If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.

This means you have to allocate an authorization object in the definition of the transaction.

For example:

program an AUTHORITY-CHECK.

AUTHORITY-CHECK OBJECT <authorization object>

ID <authority field 1> FIELD <field value 1>.

ID <authority field 2> FIELD <field value 2>.

...

ID <authority-field n> FIELD <field value n>.

The OBJECT parameter specifies the authorization object.

The ID parameter specifies an authorization field (in the authorization object).

The FIELD parameter specifies a value for the authorization field.

The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.

http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm

To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.

Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.

You program the authorization check using the ABAP statement AUTHORITY-CHECK.

AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'

ID 'ACTVT' FIELD '02'

ID 'CUSTTYPE' FIELD 'B'.

IF SY-SUBRC <> 0.

MESSAGE E...

ENDIF.

'S_TRVL_BKS' is a auth. object

ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.

The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.

This Authorization concept is somewhat linked with BASIS people.

As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.

Take the help of the basis Guy and create and use.

Regards,

Priyanka.

Re: regarding the authorization object

Former Member — Wed, 08 Aug 2007 04:54:37 GMT

SAP Security and Authorization Concepts

R/3 audit review questions.

Here is a list of items most commonly reviewed by internal/external auditors when reviewing your R/3 system.

It is always a good idea to review this list a couple times a year and to take the appropriate steps to tighten your security.

Review the following :-

System security file parameters (TU02) (e.g. password length/format, forced password sessions, user failures to end

session etc.) have been set to ensure confidentiality and integrity of password.

Security-Parameter-Settings-Documentation

Setup and modification of user master records follows a specific procedure and is properly approved by management.

Setup and modification of authorizations and profiles follows a specific procedure and is performed by someone

independent of the person responsible for user master record maintenance.

An appropriate naming convention for profiles, authorizations and authorization objects has been developed to help

security maintenance and to comply with required SAP R/3 naming conventions.

A user master record is created for each user defining a user ID and password. Each user is assigned to a user group, in

the user master record, commensurate with their job responsibilities.

Check objects (SU24) have been assigned to key transactions) to restrict access to those transaction.

Authorization objects and authorizations have been assigned to users based on their job responsibilities.

Authorization objects and authorizations have been assigned to users ensuring segregation of duties.

Users can maintain only system tables commensurate with their job responsibilities.

Validity periods are set for user master records assigned to temporary staff.

All in-house developed programs contain authority check statements to ensure that access to the programs are properly

secure.

Select a sample of :-

Changes to user master records, profiles and authorizations and ensure the changes were properly approved.

(The changes can be viewed with transaction (SECR).

Ensure that security administration is properly segregated. At a minimum there should be separate administrators

responsible for:

- User master maintenance. (This process can be further segregated by user group.)

- User profile development and profile activation. (These processes can be further segregated.)

Verify that a naming convention has been developed for profiles, authorizations and in-house developed authorization

objects to ensure:

- They can be easily managed.

- They will not be overwritten by a subsequent release upgrade (for Release 2.2 should begin with Y_ or Z_ and for

Release 3.0 by Z_ only.)

Assess through audit information system (SECR) or through a review of table USR02, whether user master records have

been properly established and in particular:

- The SAP_ALL profile is not assigned to any user master records.

- The SAP_NEW profile is not signed to any user master records. Verify that procedures exist for assigning new

authorization objects from this profile to users following installation of new SAP releases.

Assess and review of the use of the authorization object S_TABU_DIS and review of table authorization classes

(TDDAT) whether :-

- All system tables are assigned an appropriate authorization class.

- Users are assigned system table maintenance access (Through S_TABU_DIS) based on authorization classes

commensurate with their job responsibilities.

Assess and review of the use of the authorization objects S_Program and S_Editor and the review of program classes

(TRDIR) whether:

- All programs are assigned the appropriate program class.

- Users are assigned program classes commensurate with their job responsibilities.

Ensure through a review of a sample of :-

- In-house developed programs that the program, code either:

- Contains an Authority-Check statement referring to an appropriate authorization object and valid set of values;

- Contains a program Include statement, where the referred program contains an Authority-Check statement referring to

an appropriate authorization object and valid set of values.

I think an auditor would want to know what methods you are using to approve who gets what profile and what method you are using to document it so that if you review your documentation you could compare it with what authorization the user currently has and determine if the user has more authorizations (roles) than he has been approved for by the approval system in place.

example.

am using sm01 for locking transaction. but it locks that transaction to all the user. i want to lock the particular transaction to particular user. how can i do it.

please help me. it is very urgent.

ans

Restricting T-codes is to be done by auth object S_TCODE.

You have to add this auth object in the respective role of the user for whoom you want to restrict access and in the auth object you can mention the tcodes which he can access.

Pfcg - to create/edit role

su01 - to create/edit user

Re: regarding the authorization object

Former Member — Wed, 08 Aug 2007 05:03:57 GMT

Hi,

Authorization object is used to check the authorization for the user to execute the program

You create authorization object using tcode su21

Regards

Arun