-
Products and Technology
By Category
-
Groups
Activity Groups
Industry Groups
Influence and Feedback Groups
Interest Groups
Location Groups
Customer Only Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
Products
Learning and Support
-
- Products and Technology
- Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
- Explore SAP
-
Products
- Products
- SAP Business Suite
- Artificial Intelligence
- Business applications
- Data and analytics
- Technology Platform
- Financial Management
- Spend Management
- Supply Chain Management
- Human Capital Management
- Customer Experience
- SAP Business Network
- View products A-Z
- View industries
- Try SAP
- Partners
- Services
- Learning and Support
- About
- SAP Community
- Groups
- Interest Groups
- Application Development and Automation
- Discussions
- Re: Auth Objects
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Auth Objects
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2006 Jul 07 1:58 PM
- SAP Managed Tags
- ABAP Development
Hi Experts,
Please reply me that what are the authorization objects and why do we use them??
Thanking in advance.
Gauima.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2006 Jul 07 2:08 PM
- SAP Managed Tags
- ABAP Development
Hi Gauima,
Here it goes...
You could use ST01 to switch on the authorization trace. If you do not have access to ST01,
you could execute SU53 to check the authorization
objects being checked for a transaction.
For eg you execute MM01 and then you execute SU53 to see what authorization checks were
performed when you executed MM01.
AUTHORITY-CHECK OBJECT object
ID name1 FIELD f1
ID name2 FIELD f2
...
ID name10 FIELD f10.
Effect
Explanation of IDs:
object
Field which contains the name of the object for which the authorization is to be checked.
name1 ...
Fields which contain the names of the
name10
authorization fields defined in the object.
f1 ...
Fields which contain the values for which the
f10
authorization is to be checked.
AUTHORITY-CHECK checks for one object whether the user has an authorization that contains
all values of f (see SAP authorization concept).
You must specify all authorizations for an object and a also a value for each ID (or DUMMY).
The system checks the values for the IDs by AND-ing them together, i.e. all values must be part
of an authorization assigned to the user.
If a user has several authorizations for an object, the values are OR-ed together.
This means that if the CHECK finds all the specified values in one authorization,
the user can proceed. Only if none of the authorizations for a user contains all the required
values is the user rejected.
If the return code value in SY-SUBRC is 0, the user has the required authorization and may
continue.
The return code value changes according to the different error scenarios. The return code
values have the following meaning:
4
User has no authorization in the SAP System for such an action. If necessary,
change the user master record.
8
Too many parameters (fields, values). Maximum allowed is 10.
12
Specified object not maintained in the user master record.
16
No profile entered in the user master record.
24
The field names of the check call do not match those of an authorization.
Either the authorization or the call is incorrect.
28
Incorrect structure for user master record.
32
Incorrect structure for user master record.
36
Incorrect structure for user master record.
If the return code value is 8 or 24, inform the person responsible for the program.
If the return code value is 4, 12, 16 or 24, consult your system administrator if
you think you should have the relevant authorization. In the case of errors 28 to 36,
contact SAP because authorizations have probably been destroyed.
Individual authorizations are assigned to users in their respective user profiles,
i.e. they are grouped together in profiles which are stored in the user master record.
Note
Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check
is performed for the field concerned.
The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.
Example
Check whether the user is authorized for a particular plant. In this case,
the following authorization object applies:
Table OBJ: Definition of authorization object
M_EINF_WRK
ACTVT
WERKS
Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields.
For example, a user with the authorizations
M_EINF_WRK_BERECH1
ACTVT 01-03
WERKS 0001-0003 .
can display and change plants within the Purchasing and Materials Management areas.
Such a user would thus pass the checks
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0002'
ID 'ACTVT' FIELD '02'.
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' DUMMY
ID 'ACTVT' FIELD '01':
but would fail the check
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0005'
ID 'ACTVT' FIELD '04'.
To suppress unnecessary authorization checks or to carry out checks before the user
has entered all the values, use DUMMY - as in this example. You can confirm the
authorization later with another AUTHORITY-CHECK.
Authorization checks are a means of protecting functions or objects in the R/3 System.
The programmer of the function determines where and how these checks are made, while the
user administrator determines (within the framework defined by the programmer) who can
execute a function or access an object.
The terms central to the SAP authorization concept are:
Authorization field
This is the smallest unit against which checks can be made. The programmer can create
authorization fields by selecting Tools → ABAP Workbench → Development →
Other tools → Authorization objs → Fields.
Example: ACTVT and CUSTTYPE.
Authorization object
An authorization object groups together 1 to 10 authorization fields which can then be
checked as a combination. The programmer can create authorization fields by selecting
Tools → ABAP Workbench → Development → Other tools → Authorization
objs → Objects.
Example: The authorization objekt S_TRVL_BKS groups together the authorization fields
ACTVT and CUSTTYPE.
Authorization
An authorization is a combination of permitted values for each authorization field of
an authorization object. The user administrator creates authorizations by selecting
Tools → Administration → Maintain users → Authorization.
Example:
S_TRVL_CUS1 is an authorization for the authorization object S_TRVL_BKS with the values
for customer type (CUSTTYPE) and
02 for activity (ACTVT).
Users who have this authorization are allowed to change the bookings of all customers.
S_TRVL_CUS2 is an authorization for the authorization object S_TRVL_BKS with the values
B for customer type (CUSTTYPE) and
03 for activity (ACTVT).
Users who have this authorization are allowed to display the postings of all customers.
Authorization profile
An authorization profile represents a simple workplace in the context of authorizations.
An authorization profile contains authorizations for the authorization objects a user
needs to operate effectively in a restricted task area. The user administrator creates
authorizations by selecting Tools → Administration → Maintain users →
Profiles.
User master record
Your user master record is checked when you logon to the R/3 system. Through the authorization
profiles, this provides restricted access to the functions and objects of the R/3 System.
The user administrator creates authorizations by selecting Tools → Administration →
Maintain users → Users.
Authorization check
The programmer can perform authorization checks with the ABAP command AUTHORITY-CHECK by
specifying the value to be checked for each authorization field defined. The system then
scans the profiles in the user master record for the authorizations specified. If one of
the authorizations found for all fields of the authorization object covers the values
specified by AUTHORITY-CHECK, the check was successful.
Example: Check whether the user is allowed to change the postings of business customers:
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC <> 0.
MESSAGE E...
ENDIF.
If the authorization S_TRVL_CUS1 exists in the user's master record, the authorization
check is successful. However, if the authorization S_TRVL_CUS2 exists, but not the
authorization S_TRVL_CUS1, the check fails.
Authorization assignment
The system administrator is responsible for assigning user master records with the
correct authorizations. You should use the Profile Generator to maintain authorization
profiles. However, you can also change them manually. Each authorization object contains
authorizations. These are grouped together in authorization profiles such that each
authorization profile represents a job description, for example 'flight reservations clerk'.
You assign one or more authrization profiles to each user master record. You can assign an
authorization to as many authorization profiles as you like, and an authorization profile
to as many composite profiles and users as you like. Composite profiles are used in manual
authorization maintenance, and form a further division in the authorization structure.
However, they are not strictly necessary.
Hope this helps u...
Regards.
Seema.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2006 Jul 07 2:00 PM
- SAP Managed Tags
- ABAP Development
Hi,
Check this:
AUTHORITY-CHECK
Basic form
AUTHORITY-CHECK OBJECT object
ID name1 FIELD f1
ID name2 FIELD f2
...
ID name10 FIELD f10.
Effect
Explanation of IDs:
object
Field which contains the name of the object for which the authorization is to be checked.
name1 ...
Fields which contain the names of the
name10
authorization fields defined in the object.
f1 ...
Fields which contain the values for which the
f10
authorization is to be checked.
AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).
You must specify all authorizations for an object and a also a value for each ID (or DUMMY).
The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.
If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.
If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.
The return code value changes according to the different error scenarios. The return code values have the following meaning:
4
User has no authorization in the SAP System for such an action. If necessary, change the user master record.
8
Too many parameters (fields, values). Maximum allowed is 10.
12
Specified object not maintained in the user master record.
16
No profile entered in the user master record.
24
The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
28
Incorrect structure for user master record.
32
Incorrect structure for user master record.
36
Incorrect structure for user master record.
If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.
Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.
Note
Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.
The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.
Example
Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:
Table OBJ: Definition of authorization object
M_EINF_WRK
ACTVT
WERKS
Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations
M_EINF_WRK_BERECH1
ACTVT 01-03
WERKS 0001-0003 .
can display and change plants within the Purchasing and Materials Management areas.
Such a user would thus pass the checks
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0002'
ID 'ACTVT' FIELD '02'.
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' DUMMY
ID 'ACTVT' FIELD '01':
but would fail the check
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0005'
ID 'ACTVT' FIELD '04'.
To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK.
Regards
Laxman
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2006 Jul 07 2:02 PM
- SAP Managed Tags
- ABAP Development
Auth Objects are used to restrict users from executing transactions for which they are not authorized.
For eg a MM user is not authorised to execute transactions related to FI.
We use them by calling the AUTHORITY CHECK command in the programs.
Refer SAP help for further help.
-Kiran
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2006 Jul 07 2:02 PM
- SAP Managed Tags
- ABAP Development
Hi,
authorization objects are used to prevent access to particular report or transaction.
It is attach with an object . whenever user tries to access particular object it check the authentication before allowing it.
Check this link for the application.
<b>Authorization Object Creation</b>
<b>Direct Link from SAP</b>
1. Authorization fields are created under Tools -
> ABAP Workbench ---> Development -
> Other tools -
> Authorization objects -
> Fields (transaction SU20).
<b>Reward points if it helps</b>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2006 Jul 07 2:04 PM
- SAP Managed Tags
- ABAP Development
Hi,
Check this sap help..
http://help.sap.com/saphelp_crm50/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htm
Regards
vijay
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2006 Jul 07 2:08 PM
- SAP Managed Tags
- ABAP Development
Hi Gauima,
Here it goes...
You could use ST01 to switch on the authorization trace. If you do not have access to ST01,
you could execute SU53 to check the authorization
objects being checked for a transaction.
For eg you execute MM01 and then you execute SU53 to see what authorization checks were
performed when you executed MM01.
AUTHORITY-CHECK OBJECT object
ID name1 FIELD f1
ID name2 FIELD f2
...
ID name10 FIELD f10.
Effect
Explanation of IDs:
object
Field which contains the name of the object for which the authorization is to be checked.
name1 ...
Fields which contain the names of the
name10
authorization fields defined in the object.
f1 ...
Fields which contain the values for which the
f10
authorization is to be checked.
AUTHORITY-CHECK checks for one object whether the user has an authorization that contains
all values of f (see SAP authorization concept).
You must specify all authorizations for an object and a also a value for each ID (or DUMMY).
The system checks the values for the IDs by AND-ing them together, i.e. all values must be part
of an authorization assigned to the user.
If a user has several authorizations for an object, the values are OR-ed together.
This means that if the CHECK finds all the specified values in one authorization,
the user can proceed. Only if none of the authorizations for a user contains all the required
values is the user rejected.
If the return code value in SY-SUBRC is 0, the user has the required authorization and may
continue.
The return code value changes according to the different error scenarios. The return code
values have the following meaning:
4
User has no authorization in the SAP System for such an action. If necessary,
change the user master record.
8
Too many parameters (fields, values). Maximum allowed is 10.
12
Specified object not maintained in the user master record.
16
No profile entered in the user master record.
24
The field names of the check call do not match those of an authorization.
Either the authorization or the call is incorrect.
28
Incorrect structure for user master record.
32
Incorrect structure for user master record.
36
Incorrect structure for user master record.
If the return code value is 8 or 24, inform the person responsible for the program.
If the return code value is 4, 12, 16 or 24, consult your system administrator if
you think you should have the relevant authorization. In the case of errors 28 to 36,
contact SAP because authorizations have probably been destroyed.
Individual authorizations are assigned to users in their respective user profiles,
i.e. they are grouped together in profiles which are stored in the user master record.
Note
Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check
is performed for the field concerned.
The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.
Example
Check whether the user is authorized for a particular plant. In this case,
the following authorization object applies:
Table OBJ: Definition of authorization object
M_EINF_WRK
ACTVT
WERKS
Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields.
For example, a user with the authorizations
M_EINF_WRK_BERECH1
ACTVT 01-03
WERKS 0001-0003 .
can display and change plants within the Purchasing and Materials Management areas.
Such a user would thus pass the checks
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0002'
ID 'ACTVT' FIELD '02'.
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' DUMMY
ID 'ACTVT' FIELD '01':
but would fail the check
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0005'
ID 'ACTVT' FIELD '04'.
To suppress unnecessary authorization checks or to carry out checks before the user
has entered all the values, use DUMMY - as in this example. You can confirm the
authorization later with another AUTHORITY-CHECK.
Authorization checks are a means of protecting functions or objects in the R/3 System.
The programmer of the function determines where and how these checks are made, while the
user administrator determines (within the framework defined by the programmer) who can
execute a function or access an object.
The terms central to the SAP authorization concept are:
Authorization field
This is the smallest unit against which checks can be made. The programmer can create
authorization fields by selecting Tools → ABAP Workbench → Development →
Other tools → Authorization objs → Fields.
Example: ACTVT and CUSTTYPE.
Authorization object
An authorization object groups together 1 to 10 authorization fields which can then be
checked as a combination. The programmer can create authorization fields by selecting
Tools → ABAP Workbench → Development → Other tools → Authorization
objs → Objects.
Example: The authorization objekt S_TRVL_BKS groups together the authorization fields
ACTVT and CUSTTYPE.
Authorization
An authorization is a combination of permitted values for each authorization field of
an authorization object. The user administrator creates authorizations by selecting
Tools → Administration → Maintain users → Authorization.
Example:
S_TRVL_CUS1 is an authorization for the authorization object S_TRVL_BKS with the values
for customer type (CUSTTYPE) and
02 for activity (ACTVT).
Users who have this authorization are allowed to change the bookings of all customers.
S_TRVL_CUS2 is an authorization for the authorization object S_TRVL_BKS with the values
B for customer type (CUSTTYPE) and
03 for activity (ACTVT).
Users who have this authorization are allowed to display the postings of all customers.
Authorization profile
An authorization profile represents a simple workplace in the context of authorizations.
An authorization profile contains authorizations for the authorization objects a user
needs to operate effectively in a restricted task area. The user administrator creates
authorizations by selecting Tools → Administration → Maintain users →
Profiles.
User master record
Your user master record is checked when you logon to the R/3 system. Through the authorization
profiles, this provides restricted access to the functions and objects of the R/3 System.
The user administrator creates authorizations by selecting Tools → Administration →
Maintain users → Users.
Authorization check
The programmer can perform authorization checks with the ABAP command AUTHORITY-CHECK by
specifying the value to be checked for each authorization field defined. The system then
scans the profiles in the user master record for the authorizations specified. If one of
the authorizations found for all fields of the authorization object covers the values
specified by AUTHORITY-CHECK, the check was successful.
Example: Check whether the user is allowed to change the postings of business customers:
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC <> 0.
MESSAGE E...
ENDIF.
If the authorization S_TRVL_CUS1 exists in the user's master record, the authorization
check is successful. However, if the authorization S_TRVL_CUS2 exists, but not the
authorization S_TRVL_CUS1, the check fails.
Authorization assignment
The system administrator is responsible for assigning user master records with the
correct authorizations. You should use the Profile Generator to maintain authorization
profiles. However, you can also change them manually. Each authorization object contains
authorizations. These are grouped together in authorization profiles such that each
authorization profile represents a job description, for example 'flight reservations clerk'.
You assign one or more authrization profiles to each user master record. You can assign an
authorization to as many authorization profiles as you like, and an authorization profile
to as many composite profiles and users as you like. Composite profiles are used in manual
authorization maintenance, and form a further division in the authorization structure.
However, they are not strictly necessary.
Hope this helps u...
Regards.
Seema.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2006 Jul 07 2:12 PM
- SAP Managed Tags
- ABAP Development
Hi,
look this link for authorization object concept:
http://help.sap.com/saphelp_47x200/helpdata/en/d8/731d304b7511d1894b0000e8323c4f/frameset.htm
and look this link for a simple example:
http://help.sap.com/saphelp_47x200/helpdata/en/9f/dbaccb35c111d1829f0000e829fbfe/frameset.htm
Best regards
Giulio
Bluesky