SAP ABAP AUTHORISATION CHECKS

AUTHORISATION CHECKS


The authorization concept uses authorization objects and authorizations.

Authorization objects are repository objects and are maintained in the ABAP Dictionary. They consist of a name and up to ten logically-related fields that are used in the authorization check. Authorization objects define a logical grouping of fields whose values will be used in the authorization check. The above example uses the authorization object S_CARRID, which combines airline (CARRID) and activity (ACTVT, with the four possible values create, change, display, and delete).

An authorization for an authorization object is a concrete set of values for the fields of an Authorization object.

Authorizations are grouped by profiles (business activities), which are assigned to users in their user master records.

For further information, see the ABAP Editor Keyword documentation for the term Authorization concept.

In an authorization check, you specify the object and values that the user needs in an authorization in his or her user master record.

In our example, we want to check whether the user has authorization for the object S_CARRID in which the field CARRID (airline) has the value 'LH' and the field ACTVT (activity) has the value '03' for 'display'. The activity codes are listed in tables TACT and TACTZ and are also documented in the relevant authorization objects.

In the AUTHORITY CHECK, you must specify all fields of the object, otherwise, the return code will be unequal to zero. If you do not want to perform a check for one field, enter DUMMY in the field.

The most important return codes for the AUTHORITY-CHECK statement are:
0: The user has an authorization with the correct values.
4: The user does not have the required authorization.
8: You did not list all of the fields in the authorization object, so the check was unsuccessful.

For a full list of all return codes, see the keyword documentation in the ABAP Editor for AUTHORITY-CHECK.

You can only enter single fields after the FIELD addition, not selection tables. However, there are function modules that can perform an AUTHORITY-CHECK for all values in a selection table.

Use the model for the AUTHORITY-CHECK in the ABAP Editor. This model inserts all names of the authorization object fields.

The R/3 System contains tools that help you to administer authorizations and assign them to user master records.

Authorizations are always assigned to a user using authorization profiles.

Authorization profiles consist of a set of authorizations and are used to administer authorizations that are required for a particular activity (work center description).

When you call a transaction using its transaction code, a system program starts to perform automatic authorization checks.

Firstly, a system program checks whether the transaction is listed in the table TSTC and whether it is locked. Using the entries in the TSTC table, the system program determines the name of the ABAP program and the number of the first screen.

Next, the system program uses the authorization object S_TCODE to see whether the user is authorized to use the transaction.

After that, it checks whether a particular field of an authorization object is assigned to the Transaction. The user calling the transaction must have an authorization for the authorization object listed in table TSTCA in his or her user master record that also contains the values Specified in table TSTCA.

If the user has this authorization, the system starts the transaction. If not, the transaction is not started, and the system displays an error message.

After this, the authorization checks in the ABAP program (AUTHORITY-CHECK) are processed.