sitemap
| SapMaterial.com |
 | |  | |  | |  | |  | |  | |  | |  | |  |
Authorization Checks: -
Following are the various ways of performing the authorization checks: -
1) Authorization Groups: -
Authorization groups are used to group the logically related objects.
· In the table maintenance screen, an entry for the authorization group should be created.
· While creating the program the authorization group should be specified in the attributes screen of the program.
· In the view TRDIR, we can get the list of all the objects associated to the authorization group.
· Following is an example of the standard authorization group used for the batch processing of the FI documents.
Following are the various ways of performing the authorization checks: -
1) Authorization Groups: -
Authorization groups are used to group the logically related objects.
· In the table maintenance screen, an entry for the authorization group should be created.
· While creating the program the authorization group should be specified in the attributes screen of the program.
· In the view TRDIR, we can get the list of all the objects associated to the authorization group.
· Following is an example of the standard authorization group used for the batch processing of the FI documents.
Effects: -
· All the users who have the authorization group in their profile can execute all the objects assigned to
the authorization group.
· A single role should be created for all users (required to execute this group).
Limitations: -
· The authorization groups works efficiently, if the custom functionality developed has lot of objects for a
single set of users.
· Even if authorization group is used, we need to check the authorization at the field level. Ex: - An
authorization group is created for HR reports related to compensation and is assigned to the compensation
analyst role. Still we need to check the individual compensation plan (like LTIP & STIP) as LTIP analyst should
not be able to execute STIP reports.
Note: -
· The authorization group specified for the table maintenance is different to that of a program.
· Most of the standard programs (like changing FI documents) doesn’t use authorizations group but use
authorization objects and authorization fields (see the following screen shots).
· All the users who have the authorization group in their profile can execute all the objects assigned to
the authorization group.
· A single role should be created for all users (required to execute this group).
Limitations: -
· The authorization groups works efficiently, if the custom functionality developed has lot of objects for a
single set of users.
· Even if authorization group is used, we need to check the authorization at the field level. Ex: - An
authorization group is created for HR reports related to compensation and is assigned to the compensation
analyst role. Still we need to check the individual compensation plan (like LTIP & STIP) as LTIP analyst should
not be able to execute STIP reports.
Note: -
· The authorization group specified for the table maintenance is different to that of a program.
· Most of the standard programs (like changing FI documents) doesn’t use authorizations group but use
authorization objects and authorization fields (see the following screen shots).
2) Authorization Object check at the transaction level: -
The access to a transaction can be restricted by using the authorization object.
· While creating the transaction, authorization object should be specified.
· Now the values tab should be selected to specify values to the fields of the authorization
object.
The access to a transaction can be restricted by using the authorization object.
· While creating the transaction, authorization object should be specified.
· Now the values tab should be selected to specify values to the fields of the authorization
object.
Effects: -
· In the above standard SAP transaction, the authorization object ‘F_BKPF_BUK’ is used with the values ‘01’
(create) for the ACTVT (activity) and blank for BURKS (company code). (See the following picture)
· All the users who have the create authorizations will have access to this transaction i.e. a user with the
change authorizations can’t access this transaction. Likely ‘02’ and ‘03’ can be used for change and display
authorizations.
· A single role should be created for all users (required to execute this transaction) with the authorization
object, field and the actual value (create authorization - ‘01’).
· In the above standard SAP transaction, the authorization object ‘F_BKPF_BUK’ is used with the values ‘01’
(create) for the ACTVT (activity) and blank for BURKS (company code). (See the following picture)
· All the users who have the create authorizations will have access to this transaction i.e. a user with the
change authorizations can’t access this transaction. Likely ‘02’ and ‘03’ can be used for change and display
authorizations.
· A single role should be created for all users (required to execute this transaction) with the authorization
object, field and the actual value (create authorization - ‘01’).
Limitations: -
· This level of authorization check will allow all the users (with create authorizations) to create documents for all the company
codes.
3) Authorization Fields: -
Authorization fields should be used to check the authorizations at the micro level.
· Add the following code in the program.
AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
ID 'ACTVT' FIELD BER-ACT
ID 'BUKRS' FIELD A08-BUKRS.
IF SY-SUBRC NE 0. ENDIF.
Effects: -
· A user can only create / access data for a company code for which he has the authorizations.
· A separate role should be created for each user with the authorization object, field and the actual values (company codes).
Note: -
· At the high level, all the custom functionality will always be executed using a custom transaction. Security needs to add this
transaction to the user profile to grant access to the custom functionality.
· For the next level authorizations, any of the above three methods (some time all the methods) can be used depending on the
requirement.
· For the HR reports, if the program is assigned to the logical data base PNPCE, the standard code will do the field level
authorization check.
· This level of authorization check will allow all the users (with create authorizations) to create documents for all the company
codes.
3) Authorization Fields: -
Authorization fields should be used to check the authorizations at the micro level.
· Add the following code in the program.
AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
ID 'ACTVT' FIELD BER-ACT
ID 'BUKRS' FIELD A08-BUKRS.
IF SY-SUBRC NE 0. ENDIF.
Effects: -
· A user can only create / access data for a company code for which he has the authorizations.
· A separate role should be created for each user with the authorization object, field and the actual values (company codes).
Note: -
· At the high level, all the custom functionality will always be executed using a custom transaction. Security needs to add this
transaction to the user profile to grant access to the custom functionality.
· For the next level authorizations, any of the above three methods (some time all the methods) can be used depending on the
requirement.
· For the HR reports, if the program is assigned to the logical data base PNPCE, the standard code will do the field level
authorization check.
SU21
· Following are the list of screens required for the creation / display of the authorization classes / objects and fields.
· Following are the list of screens required for the creation / display of the authorization classes / objects and fields.
Security Roles: -
· Following are the screen shots of the role maintenance.
· Following are the order of the authorization checks performed by the system: -
o Transaction Code check (Object – S_TCODE, Value – Transaction Code)
o Program Check (Object – S_PROGRAM, Values – Execution and the authorization group).
o Individual objects checks – (Object – Auth Object, Values – Field and required Values).
· Following are the screen shots of the role maintenance.
· Following are the order of the authorization checks performed by the system: -
o Transaction Code check (Object – S_TCODE, Value – Transaction Code)
o Program Check (Object – S_PROGRAM, Values – Execution and the authorization group).
o Individual objects checks – (Object – Auth Object, Values – Field and required Values).
All of the product names here are trademarks of their respective companies. The site
www.allsaplinks.com no way affiliated with SAP AG. We have made every effort for the content
integrity. Information used on this site is at your own risk.
www.allsaplinks.com no way affiliated with SAP AG. We have made every effort for the content
integrity. Information used on this site is at your own risk.
ABAP TECHNICAL
SAP Introduction
sap abap faq
sap Tables
SAP Transaction codes
Internal tables
data dictionary
performance tuning
transports & Requests
Sap scripts
Smartforms
lsmw
reports
sap Workflow
module pool/ dialog
programming
table control
user exits
sap memory
abap memory
alv reports
ABAP ADVANCED
IDOC
ALE
BAPI
BADI
RFC
FUNCTIONAL SIDE
Materials Management
FICO
Human Resources
BIW / BW / SEM
Free Documentation
Abap Material
Ale Material
BAPI Material
BC Material
IDOC Material
R/3 Database Management
SAP material
RFC
Transport
Sales & Distribution Material
Basic Data and Function
Material
Basis (BC) Material
Billing Material
CA Material
CATT : Computer Aided Test
Tool
Capacity Evaluation and
leveling Material
Capacity Planning Material
Cross Application Material
Countries
Customer Service Material
Enterpise Material
Financial / Controlling (FICO)
Internet Time Sheet
Inspection Material
HR Material
Material Management
Material
Payments Material
Payroll Material
Pension Fund
Production Planning and
Control
Plant Maintenance
Quality Management Material
Real Estate Material
SAP material
Wage Types
SAP Introduction
sap abap faq
sap Tables
SAP Transaction codes
Internal tables
data dictionary
performance tuning
transports & Requests
Sap scripts
Smartforms
lsmw
reports
sap Workflow
module pool/ dialog
programming
table control
user exits
sap memory
abap memory
alv reports
ABAP ADVANCED
IDOC
ALE
BAPI
BADI
RFC
FUNCTIONAL SIDE
Materials Management
FICO
Human Resources
BIW / BW / SEM
Free Documentation
Abap Material
Ale Material
BAPI Material
BC Material
IDOC Material
R/3 Database Management
SAP material
RFC
Transport
Sales & Distribution Material
Basic Data and Function
Material
Basis (BC) Material
Billing Material
CA Material
CATT : Computer Aided Test
Tool
Capacity Evaluation and
leveling Material
Capacity Planning Material
Cross Application Material
Countries
Customer Service Material
Enterpise Material
Financial / Controlling (FICO)
Internet Time Sheet
Inspection Material
HR Material
Material Management
Material
Payments Material
Payroll Material
Pension Fund
Production Planning and
Control
Plant Maintenance
Quality Management Material
Real Estate Material
SAP material
Wage Types