Showing results for 
Search instead for 
Did you mean: 

Authorization key for the user profile

Former Member
0 Kudos

In SAP, there is a provision where we can create the authorization key and assign this key to the various user statuses in the user status profile.

The application is that when the user status is changed from one to other and if to the user status, the authorisation key is assigned then the authorised person should be only able to change the status.

But my query is that i have not come across any customization where a SAP user can be assigned to the auth. key so that he can only change the user status.

Can anybody let me know that whatever i understood, is it correct? And if yes, let me know where to assign the user to the authorisation key?


Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Raghunandan Iyer ,

In cutomerisation u can provide authorisation object like which will be useful in your PFCG role & autoriationconcept for tightning the roles & authorisation as per business requirment.

Until u dont customerise it u can not get it in the PFCG Activity.


Answers (2)

Answers (2)

Active Participant
0 Kudos

Hi Iyer

Whenever a user status is set or deleted, the user's authorization to do so is checked. The status profile, the object type and the authorization key for the user status concerned are checked.

If, for example, you want to ensure that certain user statuses can be changed only by people in a particular group, you assign all those user statuses an authorization key.

Then use authorization object B_USERSTAT to give authorizations for those authorization keys.

The authorization object hence links the user with the authorization key.


Anil Kumar

Former Member
0 Kudos

Then use authorization object B_USERSTAT to give authorizations for those authorization keys.

Hi Anil,

Can you explain me how to use the authorisation object B_USERSTAT to give authrisation for the authorisation keys?


Active Participant
0 Kudos

Hi Iyer,

Authorization object is assigned to user . Now for the combination of authorization object- b_userstat and user assign authorization ( say ZAPPROVER). See table- USRFB2

Now fot this authorization (ZAPPROVER) assign authorization values(userstatus profile which you have defined. since authorization key is defined in userstatus profile this inturn get assigned to user)

See table-USR12


Anil Kumar

Former Member
0 Kudos


Thanks for the information. But can you guide me with the transaction code in SAP to find the authorisation object and the transaction code in SAP to assign the authorisation object to the user and then this combination of authorization object and user to the authorisation key.

I am aware about how to create the authorisation key and assign it to user status in user status profile.

Request you to let me know in details. Apart from the user statuses, can you tell me about the application of authorisation key in plant maintenance?


Active Participant
0 Kudos

Hi Iyer ,

Please see the below,if it solves your requirement

M/CS Autorisation Objects

SAP Standard Authorisation Objects:

I_ALM_ME: Mobile Asset Management (ACTVT)


I_BEGRP: Authorization Group (TCD, BEGRP)

I_BETRVORG: Business Operation (BETRVORG)

I_CCM_ACT: Configuration Control authorization object (CCACT, ACTVT)

I_CCM_STRC: Structure gap maintenance authority (ACTVT)

I_ILOA: Change location and accounting data in order (IWERK, AUFART)

I_INGRP: Maintenance Planner Group (TCD, IWERK, INGRP)

I_IWERK: Maintenance Planning Plant (TCD, IWERK)


I_QMEL: Notification Types (TCD, QMART)

I_ROUT: Task List (ACTVT)

I_ROUT1: Task Lists by PM Planning Plant, Work Sched., Status (TCD, IWERK, VAGRP, STATU)


I_SWERK: Maintenance Plant (TCD, SWERK)

I_TCODE: Transaction Code (TCD)

I_VORG_MEL: Business Operation for Notifications (QMART, BETRVORG)

I_VORG_MP: Business Operation for Maintenance Planning (MPTYP, BETRVORG)

I_VORG_ORD: Business Operation for Orders (AUFART, BETRVORG)

I_WPS_MEB: Maintenance Event Builder (DIWPSMEBAR)

I_WPS_REV: Revision authorization object (REVTY, ARBPL, WERKS, WPS_REV_AC)

S_NUMBER: Number Range Maintenance (NROBJ, ACTVT)

C_TCLA_BKA: Authorization for Class Types (KLART)

*Authorisation Tables:*

TOBJ: Authorisation objects

TOBJT: Authorisation object texts

AGR_1250: Authorisation object assigned to role

AGR_USERS: Users assigned to a role

AGR_TCODES: Assignment of roles to Tcodes

Authorisation Objects for System-Statuses:


(REL = BFRE, TECO = BTAB, delete component = RMKL)




CPAU0001: Enhancement for Authorization Check in Task Lists

IMRC0005: Measure point: Exit in AUTHORITY_CHECK_IMPT

IWOC0003: PM/SM authorization check of ref. object and planner group

QQMA0026: PM/SM: Auth. check when accessing notification transaction

QQMA0030: Check validity of status change


DIP_SET_USERSETTINGS: Initial Object Check in DP Processor

INST_AUTHORITY_CHECK: PM/CS Enhanced Authorization Checks

IWO1_ORDER_BADI: Maintenance, Service, and Refurbishment Order

NOTIF_AUTHORITY_01: Additional Authorization Checks for the Notification

WORKORDER_GOODSMVT: PM/PP/PS/PI orders: auto. goods movement

Authorisation Groups:

These can be created via TCode SM30 and table T370B. They can then be assigned to the following objects:

a. Equipment (IE02)

b. Functional Locations (IL02)

c. Maintenance plans (IP02)

d. Entry List for Measurement Documents (IK32)

e. Object links (IN05, IN08)

f. User-statuses

Authorisation Debugging:

TCode SU53: Evaluate Authorization Check

Active Contributor
0 Kudos

[Original source|] of Anil's data above

Former Member
0 Kudos

Hello Raghu,

This is done by Basis users who defines the roles in the system & assigns those roles to users. Every transaction where you set/change user status has Auth objects . Basis persons defines the Auth objects values as required. One of the Auth object is for field ,Auth key -->one you defined using the node for Auth key.If you dont defined the Auth key value, the Auth object value is kept blank..

Hope this helped..