Authorization Check

 


Authorization check in SAP is implemented to make sure that users have the proper authorizations to perform any action. To ensure that these checks are in place, authorization objects are linked to users’ actions using various ways:


  • Authorization Check for Transactions: When a transaction is executed, some levels of authorization check take place. The first level of authorization check tries to confirm if the user has access to that particular tcode in authorization object S_TCODE

Once this check is successful, user can go ahead and start this transaction successfully (assuming that no authorization object is maintained in transaction maintenance screen (SE93) for that tcode).

 

If some authorization object is maintained for that transaction code in SE93 screen, then to start the execution of that transaction, the user needs to have access to that authorization object also along with the field values which are maintained in SE93.

 

 

For example – For tcode SU01, authorization object S_USER_GRP is maintained in SE93 screen ( as shown in the screenshot below). The user can successfully start transaction code SU01 only when he has authorization for SU01 in S_TCODE along with authorization object S_USER_GRP with the necessary field values which are maintained in SE93 for S_USER_GRP.

 

 

 

  • AUTHORITY-CHECK statements in ABAP Programs: AUTHORITY-CHECK statements are used in ABAP codes while development of ABAP Programs/Reports. Authorization objects along with the necessary field values are inserted into the ABAP code for authorization check against user actions through that particular program.


Hence these statements must be used to protect programs where users are able to perform all actions without any authorization check. These check for authorization object values against the values present in user master records. The authorization object is checked unless it has been (deactivated) set to “DO NOT CHECK” in SU24 (will be discussed later).

 


Report 
RSABAPSC gives the authority-check commands used in programs and subprograms.

 


Go to SA38 and execute RSABAPSC

 



The point to note is that Report RSABAPSC does not always give the complete list of all the authority check statements. Since the AUTHORITY-CHECK statements are present in programs and subprograms, it might miss the authority check statements for some subprograms. By increasing the value for recurrence level as shown in the figure above, we may get the authority check values for next levels. It is however very helpful in finding the initial level of authorization checks.


 Our Next Post is on Organizational Levels in SAP 

 

Comments are closed.

Leave a Comment


*