{"id":524,"date":"2011-11-17T04:07:50","date_gmt":"2011-11-17T04:07:50","guid":{"rendered":"http:\/\/sapsecurityanalyst.com\/WP\/?page_id=524"},"modified":"2015-05-03T09:17:29","modified_gmt":"2015-05-03T09:17:29","slug":"authorization-checks","status":"publish","type":"page","link":"https:\/\/sapsecurityanalyst.com\/WP\/general-disclaimer\/authorization-checks\/","title":{"rendered":"Authorization Check"},"content":{"rendered":"<p><span style=\"color: #0000ff; font-family: verdana;\"><!--more--><\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><!--more--><br \/>\n<span style=\"color: #4c4c4c;\"><span style=\"color: #0000ff;\"><strong>Authorization check<\/strong><\/span>\u00a0in SAP is implemented to make sure that users have the proper authorizations to perform any action. To ensure that these checks are in place, authorization objects are linked to users&#8217; actions using various ways:<\/span><\/span><br \/>\n<span style=\"color: #4c4c4c;\"> <!--more--><\/span><\/p>\n<p><span style=\"color: #4c4c4c;\"><br \/>\n<\/span><\/p>\n<ul>\n<\/ul>\n<ul>\n<li><span style=\"color: #4c4c4c; font-family: verdana;\"><span style=\"color: #0000ff;\"><strong>Authorization Check for Transactions<\/strong><\/span>: When a transaction is executed, some levels of authorization check take place. The first level of authorization check tries to confirm if the user has access to that particular tcode in authorization object <strong><span style=\"color: #0000ff;\">S_TCODE<\/span>.\u00a0<\/strong><\/span><\/li>\n<\/ul>\n<div><span style=\"color: #4c4c4c; font-family: verdana;\"><strong><br \/>\n<\/strong><\/span><\/div>\n<p><span style=\"color: #4c4c4c; font-family: verdana;\">Once this check is successful, user can go ahead and start this transaction successfully (assuming that no authorization object is maintained in transaction maintenance screen (<\/span><span style=\"color: #0000ff;\"><strong>SE93<\/strong><\/span><span style=\"color: #4c4c4c; font-family: verdana;\">) for that tcode).<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #4c4c4c; font-family: verdana;\">If some authorization object is maintained for that transaction code in SE93 screen, then to start the execution of that transaction, the user needs to have access to that authorization object also along with the field values which are maintained in SE93.<\/span><\/p>\n<p><span style=\"color: #4c4c4c;\">\u00a0<!--more--><\/span><\/p>\n<p>&nbsp;<\/p>\n<div><span style=\"color: #0000ff; font-family: verdana;\"><span style=\"color: #4c4c4c;\"><span style=\"color: #0000ff;\"><strong><span style=\"text-decoration: underline;\">For example<\/span><\/strong><\/span> &#8211; For tcode SU01, authorization object S_USER_GRP is maintained in SE93 screen ( as shown in the screenshot below).<\/span> <strong>The user can successfully start transaction code SU01 only when he has authorization for SU01 in S_TCODE along with authorization object S_USER_GRP with the necessary field values which are maintained in SE93 for S_USER_GRP<\/strong>.<\/span><\/div>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><!--more--><\/p>\n<div><a href=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/11\/se93.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-526\" title=\"se93\" src=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/11\/se93.jpg\" alt=\"\" width=\"423\" height=\"506\" srcset=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/11\/se93.jpg 423w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/11\/se93-250x300.jpg 250w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/11\/se93-290x346.jpg 290w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/11\/se93-125x150.jpg 125w\" sizes=\"(max-width: 423px) 100vw, 423px\" \/><\/a><\/div>\n<p><!--more--><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><span style=\"color: #0000ff; font-family: verdana;\"><strong>AUTHORITY-CHECK<\/strong> <span style=\"color: #4c4c4c;\">statements in ABAP Programs: AUTHORITY-CHECK statements are used in ABAP codes while development of ABAP Programs\/Reports. Authorization objects along with the necessary field values are inserted into the ABAP code for authorization check against user actions through that particular program.<\/span><\/span><\/li>\n<\/ul>\n<div><span style=\"color: #4c4c4c; font-family: verdana;\"><br \/>\n<\/span><\/div>\n<div><!--more--><\/div>\n<div><span style=\"color: #0000ff; font-family: verdana;\"><br \/>\n<\/span><\/div>\n<div><\/div>\n<div><span style=\"color: #4c4c4c; font-family: verdana;\">Hence these statements must be used to protect programs where users are able to perform all actions without any authorization check. These check for authorization object values against the values present in user master records. The authorization object is checked unless it has been (deactivated) set to &#8220;DO NOT CHECK&#8221; in SU24 (will be discussed later).<\/span><\/div>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><!--more--><\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><br \/>\nReport\u00a0<\/span><strong><span style=\"color: #0000ff;\">RSABAPSC<\/span><\/strong><span style=\"color: #0000ff;\"><span style=\"color: #4c4c4c;\">\u00a0gives the authority-check commands used in programs and subprograms.<\/span><br \/>\n<\/span><\/p>\n<p><!--more--><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><br \/>\n<strong>Go to SA38 and execute RSABAPSC<\/strong><\/span><\/p>\n<p><!--more--><\/p>\n<p>&nbsp;<\/p>\n<p><!--more--><br \/>\n<a href=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/11\/rsabapsc1.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-538\" title=\"rsabapsc\" src=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/11\/rsabapsc1.jpg\" alt=\"\" width=\"618\" height=\"583\" srcset=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/11\/rsabapsc1.jpg 618w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/11\/rsabapsc1-300x283.jpg 300w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/11\/rsabapsc1-290x273.jpg 290w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/11\/rsabapsc1-150x141.jpg 150w\" sizes=\"(max-width: 618px) 100vw, 618px\" \/><\/a><\/p>\n<p><!--more--><\/p>\n<p><!--more--><br \/>\n<span style=\"color: #4c4c4c; font-family: verdana;\">The point to note is that Report RSABAPSC does not always give the complete list of all the authority check statements. Since the AUTHORITY-CHECK statements are present in programs and subprograms, it might miss the authority check statements for some subprograms. By increasing the value for recurrence level as shown in the figure above, we may get the authority check values for next levels. It is however very helpful in finding the initial level of authorization checks.<\/span><br \/>\n<script type=\"text\/javascript\">\/\/ < ![CDATA[\ngoogle_ad_client = \"ca-pub-1241348474673689\";\n\/* All content above *\/\ngoogle_ad_slot = \"3293572617\";\ngoogle_ad_width = 468;\ngoogle_ad_height = 15;\n\/\/ ]]><\/script><br \/>\n<script src=\"http:\/\/pagead2.googlesyndication.com\/pagead\/show_ads.js\" type=\"text\/javascript\">\/\/ < ![CDATA[\n\n\n\/\/ ]]><\/script><br \/>\n<!--more--><\/p>\n<p><!--more--><\/p>\n<h3>\u00a0<span style=\"color: #e63518;\">Our Next Post is on <em><a href=\"https:\/\/sapsecurityanalyst.com\/WP\/home\/organizational-levels\" target=\"_blank\"><span style=\"color: #e63518;\">Organizational Levels in SAP\u00a0<\/span><\/a><\/em><\/span><\/h3>\n<p><!--more--><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"parent":38,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"_links":{"self":[{"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/pages\/524"}],"collection":[{"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/comments?post=524"}],"version-history":[{"count":25,"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/pages\/524\/revisions"}],"predecessor-version":[{"id":2135,"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/pages\/524\/revisions\/2135"}],"up":[{"embeddable":true,"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/pages\/38"}],"wp:attachment":[{"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/media?parent=524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}