Application Development and Automation Blog Posts
Learn and share on deeper, cross technology development topics such as integration and connectivity, automation, cloud extensibility, developing at scale, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ABAP AUTHORITY CHECK Explained: A Practical Guide with Real-World Example

Pradeep555
Explorer
‎2025 Mar 11 2:16 PM
1,106

AUTHORITY-CHECK IN ABAP: 

Is a concept which enables or allow users to perform certain functions/ activities in the SAP system 

So, we will look for an example of such activity: 

To create a material or sales order I suppose to have authorization  

System checks whether I am authorized for the task or not –then only the system will proceed further  

Suppose in a general scenario while talking a leave the manager needs to authorize the request of our leave approval . 

 

What happens in SAP ? 

In SAP basis person will assign the authorization object to user id to proceed it further  

 

Terminologies in authority-check. 

  • Object class: it is a container for authorization objects  
  • Authorization object: object to check authorization 
  • Authorization field: an authorization object has the authorization field which is used to define field values 

Here the hierarchy goes like  

Pradeep555_0-1741257370050.png

 

  

 

T-CODES: 

  • Authorization field – SU20 
  • Object class and authorization object: SU21 

 

OVERVIEW: 

The first and foremost thing is we need to check for authorization object class 

Which is a container for authorization object  

Once we create the object --> we need to assign the filed 

 

 

Scenario: 

Suppose we are using MM01 transaction to create a material, and we get an error  

At this moment we can inform BASIS people to check for the authorization in case we need any. 

 

Step; 

  1. Create a material and put external BP  

Pradeep555_32-1741254513306.png

 

 

 2.Put breakpoint on statement AUTHORITY-CHECK .  

  • Here we can see auth object is ‘M_MATE_NEW’ 
  • Field – ‘DUMMY' 
  • Value - ‘*’ 

Pradeep555_33-1741254513310.png

 

 

 

3.If we provide the field in SU20 

Pradeep555_34-1741254513311.png

 

 

 

  1. Whenever we execute sy-subrc will be zero – indicates that we are authorized 

Or else it will give sy-subrc  12 indicating we are not authorized to create the material 

Pradeep555_35-1741254513313.png

 

 

 

  1. here we have provided the field ACTVT—We shall have a glance about this 

Pradeep555_36-1741254513314.png

 

 

 

The filed ACTVT has some permitted values—click on the status icon beside ACTVT 

Pradeep555_37-1741254513315.png

 

 

 

 

01- IT IS CREATE 

02- CHANGE 

03- DISPLAY 

 

  1. Suppose if we provide a material and put external bp –we get same authorization value 

Pradeep555_38-1741254513315.png

 

 

 

7.So, in the ACTVT we saw 02- for change and same for display 

The ACTVT holds value-03 and here we can see the field value 

Pradeep555_39-1741254513317.png

 

 

 

 

Now let's take real time scenario:  

Implementing authorization checks in ABAP program is crucial to ensure that only authorized users can perform operations like INSERT, UPDATE, or DELETE on your cylinder data, which includes delivery charges, stock, and cylinder types. Here's how you can set up and demonstrate an AUTHORITY-CHECK based on the cylinder batch ID: 

 

Steps: 

  1. Create authorization object class in SU21 

Pradeep555_40-1741254513320.png

 

 

 

Pradeep555_41-1741254513321.png

 

 

 

2.Save it 

Pradeep555_42-1741254513322.png

 

 

 3.Crate the authorization field 

Pradeep555_43-1741254513323.png

 

 

 4.Select the operation you want to do on DB  

Pradeep555_44-1741254513324.png

 

.  

 5.Select the activity and save it  

Pradeep555_45-1741254513325.png

 

 

 Scenario – in the report we have stock table and particular user can delete update insert Once we are done with auth object—basis person will create a role using t code pfcg 

 

  1. If we goto to the t code SU01 – AND CLICK ON role we can be able to see the assigned roles 

Pradeep555_46-1741254513326.png

 

 

  1. Authorization filed and value will be assigned by BASIS and will reflect here  

After assigning role 

Pradeep555_47-1741254513328.png

 

 

   code  :

 

 

 

 

 

 

REPORT zpd_rp_auth_chek. 
 
TYPES : BEGIN OF lty_BID, 
          cylinder_batch_id TYPE zpd_de_batch_id, 
        END OF lty_BID. 
 
DATA : lwa_data TYPE zpd_t_stock. 
DATA : zpd_de_batch_id TYPE TABLE OF lty_BID. 
DATA : lwa_bid TYPE  lty_BID. 
DATA : lt_bid TYPE  TABLE OF lty_bid. 
 
 
TYPES : BEGIN OF lty_display, 
          delivery_charge TYPE zpd_de_charge, 
          cylinder_type   TYPE zpd_de_cylinder_type, 
          stock           TYPE zpd_de_stock, 
        END OF lty_display. 
 
DATA : lwa_display TYPE lty_display. 
DATA : lv_objectid TYPE cdhdr-objectid. 
*DATA : lwa_bid TYPE zpd_t_stock. 
 
 
 
PARAMETERS : p_id TYPE zpd_de_batch_id OBLIGATORY. 
PARAMETERS : p_charge TYPE  zpd_de_charge  . 
PARAMETERS : p_type TYPE zpd_de_cylinder_type . 
PARAMETERS : p_stock TYPE  zpd_de_stock MODIF ID a3. 
PARAMETERS : p_r1 TYPE c RADIOBUTTON GROUP r1  USER-COMMAND abc . 
PARAMETERS : p_r2 TYPE c RADIOBUTTON GROUP r1 . 
PARAMETERS : p_r3 TYPE c RADIOBUTTON GROUP r1.. 
 
 
 
START-OF-SELECTION. 
 
*Insert 
  IF p_r1 = 'X'. 
 
    AUTHORITY-CHECK OBJECT 'ZAUTHBID' 
ID 'ACTVT' FIELD '01'. 
  ENDIF. 
  IF sy-subrc <> 0 . 
    MESSAGE e005(zmsg_auth). 
 
    lwa_data-cylinder_batch_id =  p_id. 
    lwa_data-delivery_charge =  p_charge. 
    lwa_data-cylinder_type =  p_type. 
    lwa_data-stock =  p_stock. 
 
    INSERT zpd_t_stock FROM lwa_data. 
    IF sy-subrc = 0. 
      WRITE : TEXT-000. 
    ELSE. 
      WRITE : TEXT-001. 
    ENDIF. 
  ENDIF. 
 
 
 
*Delete. 
  IF p_r2 = 'X'. 
    AUTHORITY-CHECK OBJECT 'ZAUTHBID' 
ID 'ACTVT' FIELD '02'. 
  ENDIF. 
  IF sy-subrc <> 0 . 
    MESSAGE e007(zmsg_auth). 
 
 
 
    SELECT SINGLE * FROM zpd_t_stock INTO lwa_data WHERE cylinder_batch_id = p_id. 
    lwa_data-cylinder_batch_id = p_id. 
    DELETE zpd_t_stock FROM lwa_data. 
    IF sy-subrc = 0. 
      WRITE : TEXT-003 , ' :' , p_id. 
    ENDIF. 
  ENDIF. 
 
 
*Update 
  IF p_r3 = 'X'. 
 
    AUTHORITY-CHECK OBJECT 'ZAUTHBID' 
ID 'ACTVT' FIELD '06'. 
  ENDIF. 
  IF sy-subrc <> 0 . 
    MESSAGE e006(zmsg_auth). 
 
 
    lwa_data-cylinder_batch_id = p_id. 
    lwa_data-delivery_charge = p_charge. 
    lwa_data-cylinder_type = p_type. 
    lwa_data-stock = p_stock. 
 
    UPDATE zpd_t_stock FROM lwa_data. 
    IF sy-subrc = 0. 
      WRITE : TEXT-004, ' :' , p_id. 
    ENDIF. 
  ENDIF. 
 
 
 
 
 
AT SELECTION-SCREEN. 
  IF p_r1 = 'X'. 
    SELECT cylinder_batch_id 
    FROM zpd_t_stock 
    INTO TABLE lt_bid 
    WHERE cylinder_batch_id = p_id. 
 
    IF sy-subrc = 0. 
      MESSAGE e003(zmsg_auth) WITH p_id. 
    ENDIF. 
 
  ENDIF. 
 
  IF p_r2 = 'X'. 
 
    SELECT SINGLE cylinder_batch_id 
    FROM zpd_t_stock 
    INTO lwa_bid 
    WHERE cylinder_batch_id = p_id. 
    IF sy-subrc NE 0. 
      MESSAGE e004(zmsg_auth) WITH p_id. 
    ENDIF. 
  ENDIF. 
 
  IF p_r3 = 'X'. 
 
    SELECT SINGLE cylinder_batch_id 
    FROM zpd_t_stock 
    INTO lwa_bid 
    WHERE cylinder_batch_id = p_id. 
    IF sy-subrc NE 0. 
      MESSAGE e004(zmsg_auth) WITH p_id. 
    ELSE. 
      SELECT SINGLE   delivery_charge  stock 
      FROM zpd_t_stock 
      INTO lwa_display 
      WHERE cylinder_batch_id  = p_id. 
    ENDIF. 
  ENDIF. 
 
 
AT SELECTION-SCREEN OUTPUT. 
 
 
 
  LOOP AT SCREEN. 
    IF screen-group1 = 'A1' OR screen-group1 = 'A2'  OR screen-group1 = 'A3' OR screen-group1 = 'A4'. 
      screen-active = 0. 
      MODIFY SCREEN. 
    ENDIF. 
 
  ENDLOOP. 
 
 
  IF p_r3 = 'X'. 
    p_type = lwa_display-cylinder_type. 
    p_charge = lwa_display-delivery_charge. 
    p_stock = lwa_display-stock. 
 
  ENDIF.

 

 

 

 

 

 

 

Pradeep555_48-1741254513329.png

Pradeep555_63-1741255387340.png

 

 

 

 

Pradeep555_49-1741254513330.png

 

 

 

 

Pradeep555_50-1741254513331.png

 

 

 

Same in case of  delete .. 

 

 

So now lets dicuss about the key parameters present in the authorization  

SAP_ALL : 

  • The composite profile SAP_ALL contains all SAP authorizations 
  • It means that a user with this profile can perform all tasks in the SAP system  
  • The user which is having SAP_ALL authorization has the rights to administer the SAP system  
  • In projects, it is recommended to have only one user with SAP_ALL authorizations, rest all users have the authorization based upon their role 

Pradeep555_51-1741254513332.png

 

 

 

Pradeep555_52-1741254513335.png

 

 

 

Here I have authorization for SAP_ALL means I have sap all system authorization 

IN CASE: 

Even though I have SAP_ALL authorizations .then why is it not possible to create the records in previous program? 

 

When we created object, we need to add that new object in SAP_ALL 

And SAP_ALL has all many predefined authorizations 

To add that we need to regenerate SAP_ALL 

 

Pradeep555_53-1741254513336.png

 

 

 

 

So once we regenerate it – it will be the part of SAP_ALL 

 

Now if we try to insert a record it will show – sy-subrc  will be 0 

Pradeep555_54-1741254513340.png

 

 

 

 

 

  • Now let's see the requirement of assigning authorization for a particular field 

Suppose I want to assign auth for a custom field delivery charge – only certain people can  see the delivery  charges change the delivery charges 

 

  1. I have a custom table of cylinder data  

Pradeep555_55-1741254513341.png

 

 

 2.Su20 – create field 

Pradeep555_56-1741254513343.png

 

 

 3.Su21 create auth obj class—and use already existing class 

Pradeep555_57-1741254513345.png

 

 

 

4.Here I'm providing authorization on displaying the details of delivery charges 

 

Pradeep555_58-1741254513346.png

 

 

 

 

 

 

Pradeep555_59-1741254513347.png

 

 

 Code : 

 

 

 

 

 

 

 

TYPES : BEGIN OF lty_display, 
          delivery_charge TYPE zpd_de_charge, 
          cylinder_type   TYPE zpd_de_cylinder_type, 
          stock           TYPE zpd_de_stock, 
        END OF lty_display. 
 
 
DATA : lt_data TYPE TABLE OF lty_display, 
       wa      TYPE lty_display. 
 
PARAMETERS : p_dc TYPE zpd_de_stock. 
 
START-OF-SELECTION. 
  SELECT delivery_charge 
          cylinder_type 
           stock FROM zpd_t_stock 
  INTO TABLE lt_data 
   WHERE delivery_charge = p_dc . 
 
  LOOP AT lt_data INTO wa. 
    WRITE : wa-delivery_charge , wa-cylinder_type , wa-stock . 
 
  ENDLOOP. 
 
  AT SELECTION-SCREEN . 
   AUTHORITY-CHECK OBJECT  'ZDELICHRG' 
   ID 'ACTVT' FIELD '03' 
   ID 'DELIVCHARG' FIELD P_DC. 
   IF SY-SUBRC <> 0. 
     MESSAGE e008(ZMSG_AUTH) WITH p_dc. 
     ENDIF.

 

 

 

 

 

 

 5.We can see that we are getting sy-subrc = 12 

Pradeep555_60-1741254513349.png

 

 

 

 6.So when we try to display the records with particular delivery charge we get an error 

Pradeep555_61-1741254513351.png

 

 

 

 

Here are some simple conclusion points: 

  • Secure Data Access: Using AUTHORITY-CHECK ensures that only authorized users can update, delete, or insert cylinder data. 
  • Granular Permissions: Instead of giving broad access (like SAP_ALL), you assign rights for specific fields (like a cylinder batch ID) to limit who can change data. 
  • Role-Based Control: By creating roles in PFCG with precise authorization objects, you control access based on business needs. 
  • Risk Reduction: Fine-grained authorizations help reduce the risk of accidental or unauthorized data changes. 
  • Ongoing Review: Regularly reviewing and updating roles ensures that permissions stay relevant and secure. 
4 Comments
Jelena_Perfiljeva
Active Contributor
‎2025 Mar 17 9:16 PM

Okay... This is an extensive blog post trying to cover a lot of ground related to the authorization concept. And because of that the text kind of becomes its own enemy and result is a bit difficult to follow. Below are some improvement suggestions.

  • Please, please use Pretty Printer to format the code. The misaligned code is very difficult to read.
  • The numbering is all over the place. P. 1 is followed by... another 1, etc. Such text volume really needs to be split in sections/chapters. Modularization is not just for ABAP. 🙂
  • "field" is mistyped as "filed" (different word) in many places. ChatGPT can fix this easily.
  • There are well-known transactions that can be used to troubleshoot any authorization issues, so no need to bother "BASIS people". SU53 shows all failed auth checks and ST01 has an awesome option for authorization trace.
  • The code seems off to me but I'm not sure what you were going for. For example, after authorization check, it has IF sy-subrc <> 0, then error message and then... more code. Did you miss ELSE somewhere? What's the point of having code after the error message? It would never work. Very confused on this one (and this is in more than one example).
  • I suspect quite a few readers would be confused by what is "cylinder" (I have no idea myself). There isn't a real need for such a long example IMHO. All the additional code doesn't make the point any clearer. If anyone wants to see very simple example used in our ABAP Introduction book, they are here on Github.
  • Code example for "delivery charges" is also very oddly structured. Why are you doing SELECT and LOOP and all that on selection screen? It's not how the real life code would look like.
  • It would probably be helpful to add some links to SAP Help and mention why SAP documentation on this is not clear / not sufficient (I'm just guessing if it was clear this post wouldn't be needed).

Also, I didn't see it mention in the text but to clarify, we don't HAVE to create custom authorization objects all the time. It's OK to use existing objects if they make sense. I find many ABAPers are confused by that and think that every Z table must have its own object. Also, a typical source of confusion for functional folks: assigning object to role does nothing if there is no ABAP code that does the authority check.

Cheers!

Pradeep555
Explorer
‎2025 Mar 18 5:36 AM

hi jelena ..thanx for your valuable suggestion which  I have not taken care of while posting the blog 
I hope the readers make sure of these corrections and get the  good benefits of this blog !

zfiori
Participant
‎2025 Mar 18 5:55 AM

Hi Community,

 

  • Object class: it is a container for authorization objects  
  • Authorization object: object to check authorization 
  • Authorization field: an authorization object has the authorization field which is used to define field values 



Thanks for your selfless sharing, it really help us a lot.

 

🙂

Regards,

ZFiori.

Pradeep555
Explorer
‎2025 Mar 19 11:10 AM

thank you  !

Labels in this area
Popular Blog Posts