SAP BC AUTHORITY CHECK



Get Example source ABAP code based on a different SAP table
  



Authorizations
Authorizations are a method used to protect functions or objects within an AS ABAP. The programmer of a function determines where authorizations are checked and how. The user administrator determines which users can execute a function or access an object.
The following terms are central to the SAP authorization concept:

Authorization Field
Smallest unit of an authorization object. An authorization field either represents data, such as a key field of a database table, or activities , such as Read or Change. Activities are specified as IDs, which are stored in the database table TACT and the customer-specific table TACTZ.
BEGIN_SECTION VERSION 5 OUT
They are maintained in transaction SU20.
END_SECTION VERSION 5 OUT

Authorization Object
A repository object on which authorizations are based. An authorization object consists of up to 10 authorization fields. Combinations of authorization fields, which represent data and activities, are used to grant and check authorizations. Authorization objects are grouped together organizationally in authorization object classes.
BEGIN_SECTION VERSION 5 OUT
They are maintained in transaction SU21.
END_SECTION VERSION 5 OUT

Authorization
An entry in the user master record as part of an authorization profile. An authorization consists of complete or generic values for the authorization fields of an authorization object. The combination determines which activities a user can use to access certain data.
BEGIN_SECTION VERSION 5 OUT
They are generated from transaction PFCG (profile generator for role maintenance). They can also be displayed using transaction SU03 .
END_SECTION VERSION 5 OUT

Authorization Profile
A combination of multiple authorizations. Multiple authorization profiles can be assigned to a single authorization. Authorizations are assigned to users by specifying authorization profiles in the user master record.
BEGIN_SECTION VERSION 5 OUT
They are generated from transaction PFCG (profile generator for role maintenance). They can also be displayed using transaction SU02.
END_SECTION VERSION 5 OUT

User Master Record
A user master record must exist before a user can log on to an AS ABAP. The master record determines which actions users are allowed to execute and which authorizations they are assigned. Default settings, such as the format in which decimal places are displayed in lists, are also stored in the user master record. An authorization profile can be assigned to users as often as required.
BEGIN_SECTION VERSION 5 OUT
They are maintained in transaction SU01.
END_SECTION VERSION 5 OUT

Authorization Check
A check to determine whether the current user of a program has a certain authorization. The check compares a value with the corresponding entries for each authorization field of an authorization object in the user master record. Check indicators control whether an authorization check is performed.
Authorization checks are made explicitly using the ABAP statement AUTHORITY-CHECK or implicitly.
BEGIN_SECTION VERSION 5 OUT
Implicit authorization checks are made, for example, when starting transactions by entering the transaction code in the command field of the SAP GUI or in statements such as LEAVE TO TRANSACTION or SUBMIT.
END_SECTION VERSION 5 OUT

Authorization Assignment
The entry of authorization profiles in the user master record.

Composite Profiles
Composite profiles were used before the profile generator for role maintenance
BEGIN_SECTION VERSION 5 OUT (transaction PFCG)
END_SECTION VERSION 5 OUT was introduced in manual maintenance of profiles
BEGIN_SECTION VERSION 5 OUT (transaction SU02)
END_SECTION VERSION 5 OUT to organize the authorization structure. They are not, however, absolutely necessary. An authorization profile can be assigned to composite profiles as often as required.



Latest notes:
ABAP CDS enables access control based on implicit evaluations of access conditions.
NON_V5_HINTS
During an update, no authorizations of the SAP authorization concept are checked.
These access conditions can be defined as PFCG conditions based on authorizations of transaction PFCG.
ABAP_HINT_END