Checking at Program Level with AUTHORITY-CHECK

With the ABAP statement AUTHORITY-CHECK in the source code of the program, applications
check whether the user has the relevant authorizations and whether these authorizations
are appropriately defined, that is, whether the user administrator has assigned the values
required by the programmer for the fields. In this way, you can also protect transactions that
are indirectly called by other programs.
AUTHORITY-CHECK searches in the profiles specified in the user master record for
authorizations for the authorization object specified in the AUTHORITY-CHECK statement. If
one of the authorizations found matches one of the specified values, the check is successful.
Starting Transactions
When a user starts a transaction, the system performs the following checks:
It checks in table TSTC whether the transaction code is valid and whether the system
administrator has locked the transaction.
It checks whether the user has the authorization to start the transaction.
The SAP system performs the authorization checks every time a transaction is called
using the menu or the command field. Indirectly-called transactions are not included in
this authorization check. There are additional authorization checks for more complex
transactions that call other transactions.
o The authorization object S_TCODE (transaction start) contains the
field TCD (transaction code). The user must have an authorization that contains a
value for the selected transaction code.
o If you use transaction SE93 to enter an additional authorization for the
transaction to be started using an authorization object, the user also requires this
authorization object with the appropriate value (TSTA, table TSTCA).
When you create a transaction in transaction SE93, you can assign an additional
authorization to this transaction. This is useful if you want to be able to protect a
transaction with a single authorization. If this is not the case, you should consider
using other methods to protect the transaction (for example,AUTHORITY-CHECK at
program level).
The system checks whether an authorization object is assigned to the transaction
code. If this is the case, it checks whether the user has an authorization for this
authorization object.
This check is not performed in the following cases:
o You have used transaction SU24 to deactivate the check of the authorization
objects for the transaction using check indicators, that is, you have removed an
authorization object that was entered using transaction SE93. You cannot deactivate
the check for objects from the SAP NetWeaver and HR areas.
For more information, see Check Indicators.
This can be meaningful, since a large number of authorization objects are often
checked when executing transactions, because other work areas are called in the
background. For the check to be successful, corresponding authorizations must exist.
This means that some users receive more authorizations than is absolutely necessary.
It also means that more work is required to maintain the authorizations. You should
 therefore use transaction SU24 to deactivate authorization checks of this type in a
targeted way.
o You have used transaction SU24 or transaction SU25 to globally deactivate the
authorization objects for all transactions.
For more information, see Globally Deactivating Authorization Checks.
For more information, see SAP Note 1854561 .

o For the entries made in transactions SU24 and SU25 to take effect, you need to
set profile parameterAUTH/NO_CHECK_IN_SOME_CASES to the value Y (using
transaction RZ10).
For the user to be able to start the transaction, all of the above checks must be successful.
Otherwise, the transaction is not started, and the system displays a corresponding message.