What is the use of Authorization Checks?

To ensure that a user has the appropriate authorizations when he or she

performs an action, users are subject to authorization checks.

The following actions are subject to authorization checks that are performed

before the start of a program or table maintenance and which the SAP

applications cannot avoid:

· Starting SAP transactions (authorization object S_TCODE)

· starting reports (authorization object S_PROGRAM)

· Calling RFC function modules (authorization object S_RFC)

· Table maintenance with generic tools (S_TABU_DIS)

In coming posts, we will see how to add authorization checks for Reports and

transactions.

Today we will discuss about table authorization checks.

Purpose of assigning authorization groups for tables:

You can assign authorization groups to tables to avoid users accessing tables

using general access tools (such as transaction SE16). A user requires not only

authorization to execute the tool, but must also have authorization to be permitted

to access tables with the relevant group assignments. For this case, we deliver

tables with predefined assignments to authorization groups. The assignments

are defined in table TDDAT; the checked authorization object is S_TABU_DIS.

Now we will see how to assign/create authorization group for a table:

Go to SE54, Give the table name and choose authorization group and then click

on create/change. You can

create an authorization group.

Example:

You can assign a table to authorization group Z001. (Use transaction SM30 for

table TDDAT) A user that

wants to access this table must have authorization object S_TABU_DIS in his or

her profile with the value

Z001 in the field DICBERCLS (authorization group for ABAP Dictionary objects).

Authorization Check:

In the earlier post, we came to know the importance of authorization check in real

time environment. We know how to check authorization for table maintenance.

(Please refer earlier post).

Now we will see how to check authorization for Reports, Transactions, RFC

function modules.

The following actions are subject to authorization checks that are performed

before the start of a program or table maintenance and which the SAP

applications cannot avoid:

Starting SAP transactions (authorization object S_TCODE)

 starting reports (authorization object S_PROGRAM)

 Calling RFC function modules (authorization object S_RFC)

 Table maintenance with generic tools (S_TABU_DIS)

The authorization objects S_TCODE, S_PROGRAM, S_RFC, and S_TABU_DIS

are standard SAP provided.

Creating a new authorization object is not in the scope of ABAP developer. It will

be taken care by SAP BASIS team.

To add authorization check to your program, you need to add the following code in

your report. Imagine that you have created a transaction code for your report, then

you should use the authorization object S_TCODE to check the authorization.

You can place the code in initialization event.

*Initialization

INITIALIZATION.

AUTHORITY-CHECK OBJECT 'S_TCODE'

ID 'TCD' FIELD 'ZEXAMPLE'.

IF sy-subrc <> 0. "Not Authorized

MESSAGE e003(ZZ) WITH 'TCD' 'ZEXAMPLE'.

ENDIF.

Here zexample is the transaction code created for the report.

No comments:

topics