SAP Authorizations Basic Overview

SAPThis article contains the very basic info about implementing security in SAP / ABAP using Authorizations

Important transactions:

  • SU20 – Maintain Authorization Fields
  • SU21 – Maintain Authorization Classes/Objects
  • SU22 – Maintain Authorization Default Values
  • SU22_HISTORY – Change Documents for Default Values
  • SU24
    • Maintain Authorization Defaults
    • Assign Authorization Object to [TCode|WDY|IDOC|Workflow…]
    • Define Authorization templates
    • Default Values Comparison
  • SU24_HISTORY – Change Documents for Default Values
  • SU25 – Upgrade Tool for Profile Generator
  • SU25_2A_SEL – Authorization Defaults Comparison
  • SU26 – Upgrade Tool for Profile Generator
  • SU56 – Analyze User Buffer (Display all buffered authorizations for current user)
  • SE54 – Create/Assign Authorization Groups
  • PFCG – Role Maintenance

Example business scenario

Let’s try some basic example: in our new business scenario we’d like to check if user is authorized to perform an operation by checking Authorization object Z_EXAMPLE where value of its field ACTIVE must be set to ‘X’ (abap_true).

You can check the Authorization object Z_EXAMPLE in TCode SU21 (you can find it using the built-in search functionality: Ctrl+F). You can see we created it under class Basis: Administration with one Field called ACTIVE

Authorization ObjectIf you double click on the field called ACTIVE you can see details of the field + list of Authorization objects where this field is being used (currently the usage is in Object Z_EXAMPLE only)

Authorization FieldLet’s try to test if your user is authorized to run the business scenario by the following piece of code:

* This object must be assigned to user's Role and must be Active='X'
AUTHORITY-CHECK OBJECT 'Z_EXAMPLE'
  ID 'ACTIVE' FIELD abap_true.

WRITE: 'Result: ', sy-subrc.

And the result will be:

Authorization missingWe can see the result code is 12:

  • SY-SUBRC = 0
    Authorization successful or no check was carried out.
    An authorization for the authorization object was found in the user master record.
    Its value sets include the specified values.
  • SY-SUBRC = 4
    Authorization check not successful.
    One or more authorizations were found for the authorization object in the user master record and they include the value sets, but not the values specified, or incorrect authorization fields or too many fields were specified.
  • SY-SUBRC = 12
    No authorization was found for the authorization object in the user master record.
  • SY-SUBRC = 24
    This return code is no longer set.
  • SY-SUBRC = 40
    An invalid user ID was specified in user.

The question now is how to assign the authorization to user?
We have to create a new role Y_EXAMPLE (or assign the object to an existing role) in TCode PFCG. After we set the new role’s name and description, we go to tab Authorizations and click on button Change Authorization Data

Role and its AuthorizationsWe don’t want to use a role template so we press cancel on Template selection screen and the main screen called Change Role: Authorizations is displayed.
Add Objects to RoleThis time we add the authorization object manually and we set the value of field ACTIVE to ‘X’

Authorization Object Fields initializedOnce you SAVE the changes, you are asked to assign the profile name – enter valid profile name and press the Generate button

Now we have the Authorization Role, Authorization Profile, Authorization Object and its fields ready to be used. We just have to select users who will be granted with the new Authorization role or Profile. To assign this new role to a user:

  1. Run TCode SU01
  2. Go to change mode for the selected user
  3. Navigate to tab Roles
  4. Assign him with the new role Y_EXAMPLE you just created
  5. Save changes

Assignment of the Role to UserIf we now try to run the same ABAP code as in the beginning, we should see the following result:

Authorization check passedRestrict Table View/Edit for TCode SM30  / SM16 or your own Z/Y TCode

Antoher business screnario might be restricting user access to usage of TCode SM30 or SE16 or your own created Z/Y TCode just for limited list of tables. Such list of tables is given by assignment of the required tables to an Authorization group.

You either already have an authorization group created or you can create a new one in TCode SE54 -> select Authorization Groups radio button + click on button Change/Create

Assignment of a table to an Authorization group can be done either:

  • Directly in change mode in TCode SE11 (Top menu -> Utilities -> Assign Authorization Group)
  • In TCode SE54 -> Assign Authorization Group radio button + click on Change/Create button

Restricting the access to such tables (assigned to an Authorization group, e.g. Y001) can be done by creating a Role, where there must at least two objects be included:

  • Objekt S_TCODE
    • Object is part of Authorization class AAAB (Cross-application Authorization Objects)
    • Field TCD (Transaction Code) = SM30 (or your own Z/Y- TCode created for your table maintenance)
  • Objekt S_TABU_DIS
    • Object is part of Authorization class BC_A (Basis: Administration)
    • Field DICBERCLS (Table Authorization Group) = Y001
    • Field ACTVT (Activity) = 02 (Change), 03 (Display)

Leave a Reply