Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Authorization objects!!!

Former Member
0 Kudos
1,050

what are Authorization objects???

1 ACCEPTED SOLUTION

amit_khare
Active Contributor
0 Kudos
113
3 REPLIES 3

Former Member
0 Kudos
113

Hi,

Authorisation objects are used to restrict certain transactions to users.Critical data must be protected from unauthorised users.For example,the head has access to certain data.But it cannot be accessed by his subordinate.For this we need to define roles.

•Create an authorization object with transaction SU21.

An object usually consists of the ACTVT (activity) field and one other field,which specifies the data type to be protected.By ACTVT, we can decide if the data is accessible for change,display only etc.

•Add authorization fields to the authorization object created.

•Assign the authorization object to the transaction using SE93.

Attach the authorization object to the role using transaction PFCG.

Authorization Check for Transactions

You can directly link authorization objects with transaction codes. You can enter values for the fields of an authorization object in the transaction maintenance. Before the transaction is executed, the system compares these values with the values in the user master record and only starts the transaction if the appropriate authorization exists.

Authorization Check for ABAP Programs

For ABAP programs, the two objects S_DEVELOP (program development and program execution) and S_PROGRAM (program maintenance) exist. They contains a field P_GROUP that is connected with the program attribute authorization group. Thus, you can assign users program-specific authorizations for individual ABAP programs.

Authorization Check in ABAP Programs

A more sophisticated, user-programmed authorization check is possible using the Authority-Check statement. It allows you to check the entries in the user master record for specific authorization objects against any other values. Therefore, if a transaction or program is not sufficiently protected or not every user that is authorized to use the program can also execute all the actions, this statement must be used.

Please check the following

http://help.sap.com/saphelp_nw04/helpdata/en/80/1a6859e07211d2acb80000e829fbfe/content.htm

http://www.sapsecurityonline.com/r3_security/r3_security_tips.htm

Regards,

Priyanka.

amit_khare
Active Contributor
0 Kudos
114

Former Member
0 Kudos
113

Hi,

Authorization Check in ABAP Programs


A more sophisticated, user-programmed authorization check is possible using the Authority-Check statement. It allows you to check the entries in the user master record for specific authorization objects against any other values. Therefore, if a transaction or program is not sufficiently protected or not every user that is authorized to use the program can also execute all the actions, this statement must be used.

AUTHORITY-CHECK OBJECT object
ID name1 FIELD f1
ID name2 FIELD f2
...
ID namen FIELD fn.

object is the name of an authorization object. With name1, name2 ... , and so on, you must list all fields of the authorization object object. With f1, f2 ... , and so on, you must specify the values that the system is to check against the entries in the relevant authorization of the user master record. The AUTHORITY-CHECK statement searches for the specified object in the user profile and checks the user’s authorizations for all values of f1, f2 ... . You can avoid checking a field name1, name2 ... by replacing FIELD f1 FIELD f2 with DUMMY.

After the FIELD addition, you can only specify an elementary field, not a selection table. However, there are function modules available that execute the AUTHORITY-CHECK statement for all values of selection tables. The AUTHORITY-CHECK statement is supported by a statement pattern.

Only if the user has all authorizations, is the return value sy-subrc of the AUTHORITY-CHECK statement set to 0. The most important return values are:

· 0: The user has an authorization for all specified values.

· 4: The user does not have the authorization.

· 8: The number of specified fields is incorrect.

· 12: The specified authorization object does not exist.



Look at the Demo program

demo_authorithy_check

Regards

Sudheer