SAP Program authorization


In this post we will focus on how to secure programs. In one of our previous posts on tables, we saw that authorization group plays a very vital role for securing  tables. Program authorization group for program plays a similar role as far as securing programs are concerned. Authorization object S_PROGRAM plays the role of restricting access to a program.


Three types of actions can be assigned to program authorization groups :

  • Starting a program
  • Executing a program as a background job
  • Maintaining variants



Authorization object S_PROGRAM has following authorization fields:

  • Authorization group ABAP program (P_GROUP)
  • User action ABAP program (P_ACTION)



Following are the user action (permitted activities) for ABAP programs:

  • SUBMIT : This authorization field is used to start the program
  • BTCSUBMIT : This field is for scheduling the program to run as a background job
  • VARIANT : This authorization field is for maintaining variants


Table TSTC provides transaction code to program mapping information. Given an ABAP program, we can find out the transaction code linked to that program by using table TSTC (provided the program is linked to a tcode).


Authorization group for a program can be created in cross client table TPGPV_TPGP via tcode SM30.


Once a program authorization group is created, it can be linked to a program via tcode SE38 (program attributes) or via report RSCSAUTH.