Professional Documents
Culture Documents
SAP Authorization Concept With Sample Samples PDF
SAP Authorization Concept With Sample Samples PDF
Takeaway:
Whether you're a developer, a consultant, or the user of a SAP system, you'll eventually come
across issues related to authorization. This article provides some handy code samples to help you
get acquainted with authorization in SAP.
With authorization, you can restrict users from viewing confidential data on-screen or deny them access to certain
transactions. For instance, suppose your company has two departments, each supervised by a different manager. Your
business process demands the user of one department cannot view the salary structure of the other. Alternatively, the person
running a cost report is shown only the costs incurred as a result of activities performed in his or her own division.
Basically, SAP decides at runtime whether a particular user is permitted to enter a given application area. While a thorough
description of authorization is beyond the scope of this article, it's a good idea to familiarize yourself with the inner workings of
the authorization mechanism.
Authorizations
An authorization is simply defined as a set of assigned values for each authorization field of a given object. Authorizations are
first created and then assigned to users via authorization profiles.
Authorization profiles
An authorization profile is a group of authorizations that collectively form a generic representation of a job role or description,
such as an HR payroll user. All authorizations are switched off for a user upon creation. The system administrator then assigns
authorization profiles to user master records. A particular authorization profile may be assigned to multiple users. Likewise, a
user may be allotted multiple profiles, each covering a different job role.
programs. You may use this statement in conjunction with other ABAP statements to check the user's permissibility within a
particular application area. This statement is effective only if the relevant authority object exists. The syntax is as follows:
AUTHORITY CHECK OBJECT Object_name
ID fieldname1 FIELD fieldvalue1
ID fieldname2 FIELD fieldvalue2
ID fieldname3 FIELD fieldvalue3.
If sy-subrc eq 0. "Authorization exists
Endif.
When using the command above, you need to specify an authorization object along with the fields (fieldname1, fieldname2,
etc.) and their comparison values (fieldvalue1, fieldvalue2, etc.). For field names that are unimportant from the authorization
perspective, use "DUMMY" as the field value. SAP conducts a check by comparing the values passed by the programmer with
those entered in the user's profile. If the user passes this authorization check, the return code SY-SUBRC is set to 0. An
example is shown below:
AUTHORITY CHECK OBJECT PCL_X
ID RELID FIELD 'RX' " Cluster RX of payroll data
ID AUTHC FIELD 'R' " Read authorization
If sy-subrc eq 0. "Authorization exists
Endif.
The authority object PCL_X is used to check for authorizations of clusters residing in tables PCL1, PCL2, and so on. We
specify the comparison value of the cluster name (RX) in place of field RELID and the operation (R—read) to be performed on
the cluster data. If the relevant authorization for the user is found in his or her profile, the field SY-SUBRC is set to 0.
Code samples
When you come across a standard program, search for the AUTHORITY OBJECT command to get an idea of the
authorization objects that are used. The following are a few of the ways this command can be used to control the application
behavior based upon the user's profile:
In case SY-SUBRC is not equal to 0, the functions that the user is to be deprived of are selected and populated into the table
EXCL_TAB. Then the SET PF-STATUS command is used to display all functions except those included in the EXCL_TAB
table. If authorization occurred, the code would not execute and the internal table would be empty. This would display all
functions enabled to the user.
In report criteria
Users may try to view data pertaining to unauthorized areas by entering certain inputs on a report's selection screen. The
coding that deals with such a problem is shown below.
Select * from bkpf .
Page 3 of 3
In this case, the authority check may be placed inside the select loop. Data that is read from the database is passed to the
authority check for determining the permissibility of the current user. The WRITE statement is executed only if the return code
is equal to 0 (i.e., the user has authorization of the relevant BKPF field).
http://articles.techrepublic.com.com/5102-6329-5110893.html 3/20/2007