![\"SAP\"](\"http:\/\/oprsteny.cz\/wp-content\/uploads\/SAP.jpg\")
This article contains the very basic info about implementing security in SAP \/ ABAP using Authorizations<\/p>\nThis article contains the very basic info about implementing security in SAP \/ ABAP using Authorizations<\/p>\n
Let’s try some basic example: in our new business scenario we’d like to check if user is authorized to perform an operation by checking Authorization object Z_EXAMPLE<\/em> where value of its field ACTIVE<\/em> must be set to ‘X’ (abap_true).<\/p>\n You can check the Authorization object Z_EXAMPLE<\/em> in TCode SU21 (you can find it using the built-in search functionality: Ctrl+F). You can see we created it under class Basis: Administration <\/em>with one Field called ACTIVE<\/em><\/p>\n And the result will be:<\/p>\n The question now is how to assign the authorization to user? Now we have the Authorization Role<\/em>, Authorization Profile<\/em>, Authorization Object<\/em> and its fields<\/em> ready to be used. We just have to select users who will be granted with the new Authorization role or Profile. To assign this new role to a user:<\/p>\n Antoher business screnario might be restricting user access to usage of TCode SM30 or SE16 or your own created Z\/Y TCode just for limited list of tables. Such list of tables is given by assignment of the required tables to an Authorization group.<\/em><\/p>\n You either already have an authorization group created or you can create a new one in TCode SE54 -> select Authorization Groups<\/em> radio button + click on button Change\/Create<\/em><\/p>\n Assignment of a table to an Authorization group can be done either:<\/p>\n Restricting the access to such tables (assigned to an Authorization group, e.g. Y001<\/em>) can be done by creating a Role, where there must at least two objects be included:<\/p>\n This article contains the very basic info about implementing security in SAP \/ ABAP using Authorizations<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"SAP Authorizations Basic Overview","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[16,233,9,39,5],"tags":[374,377,376,375,17],"class_list":["post-1243","post","type-post","status-publish","format-standard","hentry","category-abap","category-customizing","category-development","category-infrastructure","category-tools","tag-authorizations","tag-pfcg","tag-profiles","tag-roles","tag-sap"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p3nYbe-k3","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/oprsteny.cz\/index.php?rest_route=\/wp\/v2\/posts\/1243","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oprsteny.cz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/oprsteny.cz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/oprsteny.cz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/oprsteny.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1243"}],"version-history":[{"count":4,"href":"https:\/\/oprsteny.cz\/index.php?rest_route=\/wp\/v2\/posts\/1243\/revisions"}],"predecessor-version":[{"id":1255,"href":"https:\/\/oprsteny.cz\/index.php?rest_route=\/wp\/v2\/posts\/1243\/revisions\/1255"}],"wp:attachment":[{"href":"https:\/\/oprsteny.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/oprsteny.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/oprsteny.cz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"Authorization](\"http:\/\/oprsteny.cz\/wp-content\/uploads\/AUTHORIZATIONS_01.png\")
<\/a>If you double click on the field called ACTIVE<\/em> you can see details of the field + list of Authorization objects where this field is being used (currently the usage is in Object Z_EXAMPLE<\/em> only)<\/p>\n<\/a>Let’s try to test if your user is authorized to run the business scenario by the following piece of code:<\/p>\n* This object must be assigned to user's Role and must be Active='X'\r\nAUTHORITY-CHECK OBJECT 'Z_EXAMPLE'\r\n ID 'ACTIVE' FIELD abap_true.\r\n\r\nWRITE: 'Result: ', sy-subrc.<\/pre>\n
<\/a>We can see the result code is 12:<\/p>\n\n
\nAuthorization\u00a0successful\u00a0or\u00a0no\u00a0check\u00a0was\u00a0carried\u00a0out.
\nAn\u00a0authorization\u00a0for\u00a0the\u00a0authorization\u00a0object\u00a0was\u00a0found\u00a0in\u00a0the\u00a0user\u00a0master\u00a0record.
\nIts\u00a0value\u00a0sets\u00a0include\u00a0the\u00a0specified\u00a0values.<\/li>\n
\nAuthorization\u00a0check\u00a0not\u00a0successful.
\nOne\u00a0or\u00a0more\u00a0authorizations\u00a0were\u00a0found\u00a0for\u00a0the\u00a0authorization\u00a0object in\u00a0the\u00a0user\u00a0master\u00a0record\u00a0and\u00a0they\u00a0include\u00a0the\u00a0value\u00a0sets, but\u00a0not\u00a0the\u00a0values\u00a0specified,\u00a0or\u00a0incorrect\u00a0authorization\u00a0fields or\u00a0too\u00a0many\u00a0fields\u00a0were\u00a0specified.<\/li>\n
\nNo authorization was found for the authorization object in the user master record.<\/li>\n
\nThis return code is no longer set.<\/li>\n
\nAn invalid user ID was specified in user.<\/li>\n<\/ul>\n
\nWe have to create a new role Y_EXAMPLE<\/em> (or assign the object to an existing role) in TCode PFCG. After we set the new role’s name and description, we go to tab Authorizations<\/em> and click on button Change Authorization Data<\/em><\/p>\n<\/a>We don’t want to use a role template so we press cancel on Template selection screen and the main screen called Change Role: Authorizations <\/em>is displayed.
\n<\/a>This time we add the authorization object manually and we set the value of field ACTIVE<\/em> to ‘X’<\/p>\n<\/a>Once you SAVE the changes, you are asked to assign the profile name – enter valid profile name and press the Generate<\/em> button<\/p>\n\n
<\/a>If we now try to run the same ABAP code as in the beginning, we should see the following result:<\/p>\n<\/a>Restrict Table View\/Edit for TCode SM30\u00a0 \/ SM16 or your own Z\/Y TCode<\/h2>\n\n
\n
\n
\n