SAP NetWeaver AS ABAP Rel ease 702, ©Copyri ght 2010 SAP AG. Al l ri ghts reserved.

ABAP Keyword Documentation → ABAP - Ref erence → Processing External Data → Data Consistency →
Authorization checks are a means of protecting functions or objects in an AS ABAP. The programmer of the function
determines where and how these checks are made, while the user administrator determines who can execute a
function or access an object.
The following terms are central to the SAP authorization concept:
Authorization Field
Smallest unit in an authorization object. An authorization field either represents data, such as a key field in a
database table, or activities, such as Read or Create. Activities are specified as identifiers, which are stored in the
database table TACT and the customer-specific table TACTZ.
Maintenance using transaction SU20.
Authorization Object
Repository object that forms the basis of authorizations. An authorization object comprises up to 10 authorization
fields. The combination of authorization fields, which represent data and activities, is used for authorization
assignment and to check authorizations. Authorization objects are grouped together in authorization classes.
Maintenance using transaction SU21.
Enter in the user master record or part of an authorization profile. An authorization comprises complete or generic
values for the authorization fields in an authorization object. The combination determines the activities with which a
user can access certain data.
Generation from transaction PFCG (profile generator for role maintenance). Display using transaction SU03.
Authorization Profile
Grouping of several individual authorizations. Several authorization profiles can be assigned to an authorization.
Authorizations are assigned to users by specifying authorization profiles in the user master record.
Generation from transaction PFCG (profile generator for role maintenance). Display using transaction SU02.
User Master Record
The existence of a user master record is a prerequisite for logon to an AS ABAP. The master record determines
which actions users are allowed to execute and which authorizations they are assigned. Default settings, such as the
format in which decimal places are displayed in lists, are also stored in the user master record. An authorization
profile can be assigned to users as often as you wish.
Maintenance in transaction SU01.
Authorization Check
Check to determine whether the current program user has a certain authorization. The check compares a value with
the corresponding entries in each authorization field in an authorization object in the user master record. Check
indicators control whether an authorization check is performed.
The ABAP statement for this is AUTHORITY-CHECK.
Authorization Assignment
Creation of authorizations in the user master record.
Composite Profiles
Composite profiles were used (before the profile generator was introduced) in manual profile maintenance (transaction
SU02) to structure the authorization structure, but are not necessarily required. An authorization profile can be
assigned to composite profiles as often as you wish.