To ensure that a user has the appropriate authorizations when he or she
performs an action, users are subject to authorization checks.
The following actions are subject to authorization checks that are performed
before the start of a program or table maintenance and which the SAP
applications cannot avoid:
· Starting SAP transactions (authorization object S_TCODE)
· starting reports (authorization object S_PROGRAM)
· Calling RFC function modules (authorization object S_RFC)
· Table maintenance with generic tools (S_TABU_DIS)
In coming posts, we will see how to add authorization checks for Reports and
transactions.
Today we will discuss about table authorization checks.
Purpose of assigning authorization groups for tables:
You can assign authorization groups to tables to avoid users accessing tables
using general access tools (such as transaction SE16). A user requires not only
authorization to execute the tool, but must also have authorization to be permitted
to access tables with the relevant group assignments. For this case, we deliver
tables with predefined assignments to authorization groups. The assignments
are defined in table TDDAT; the checked authorization object is S_TABU_DIS.
Now we will see how to assign/create authorization group for a table:
Go to SE54, Give the table name and choose authorization group and then click
on create/change. You can
create an authorization group.
Example:
You can assign a table to authorization group Z001. (Use transaction SM30 for
table TDDAT) A user that
wants to access this table must have authorization object S_TABU_DIS in his or
her profile with the value
Z001 in the field DICBERCLS (authorization group for ABAP Dictionary objects).
Authorization Check:
In the earlier post, we came to know the importance of authorization check in real
time environment. We know how to check authorization for table maintenance.
(Please refer earlier post).
Now we will see how to check authorization for Reports, Transactions, RFC
function modules.
The following actions are subject to authorization checks that are performed
before the start of a program or table maintenance and which the SAP
applications cannot avoid:
Starting SAP transactions (authorization object S_TCODE)
starting reports (authorization object S_PROGRAM)
Calling RFC function modules (authorization object S_RFC)
Table maintenance with generic tools (S_TABU_DIS)
The authorization objects S_TCODE, S_PROGRAM, S_RFC, and S_TABU_DIS
are standard SAP provided.
Creating a new authorization object is not in the scope of ABAP developer. It will
be taken care by SAP BASIS team.
To add authorization check to your program, you need to add the following code in
your report. Imagine that you have created a transaction code for your report, then
you should use the authorization object S_TCODE to check the authorization.
You can place the code in initialization event.
*Initialization
INITIALIZATION.
AUTHORITY-CHECK OBJECT 'S_TCODE'
ID 'TCD' FIELD 'ZEXAMPLE'.
IF sy-subrc <> 0. "Not Authorized
MESSAGE e003(ZZ) WITH 'TCD' 'ZEXAMPLE'.
ENDIF.
Here zexample is the transaction code created for the report.
No comments:
Post a Comment