SAP Authorizations Basic Overview

Posted on 2014-12-16

This article contains the very basic info about implementing security in SAP / ABAP using
Authorizations

Important transactions:
SU20 - Maintain Authorization Fields
SU21 - Maintain Authorization Classes/Objects
SU22 - Maintain Authorization Default Values
SU22_HISTORY - Change Documents for Default Values
SU24
o Maintain Authorization Defaults
o Assign Authorization Object to [TCode|WDY|IDOC|Workflow...]
o Define Authorization templates
o Default Values Comparison
SU24_HISTORY - Change Documents for Default Values
SU25 - Upgrade Tool for Profile Generator
SU25_2A_SEL - Authorization Defaults Comparison
SU26 - Upgrade Tool for Profile Generator
SU56 - Analyze User Buffer (Display all buffered authorizations for current user)
SE54 - Create/Assign Authorization Groups
PFCG - Role Maintenance

Example business scenario

Let's try some basic example: in our new business scenario we'd like to check if user is authorized to
perform an operation by checking Authorization object Z_EXAMPLE where value of its field ACTIVE must
be set to 'X' (abap_true).

You can check the Authorization object Z_EXAMPLE in TCode SU21 (you can find it using the built-in
search functionality: Ctrl+F). You can see we created it under class Basis: Administration with one Field
called ACTIVE
If you double click on the field called ACTIVE you can see details of the field + list of Authorization objects
where this field is being used (currently the usage is in Object Z_EXAMPLE only)

Let's try to test if your user is authorized to run the business scenario by the following piece of code:

1. * This object must be assigned to user's Role and must be Active='X'

2. AUTHORITY-CHECK OBJECT 'Z_EXAMPLE'
3. ID 'ACTIVE' FIELD abap_true.
4.
5. WRITE: 'Result: ', sy-subrc.

And the result will be:

We can see the result code is 12:

SY-SUBRC = 0
Authorization successful or no check was carried out.
An authorization for the authorization object was found in the user master record.
Its value sets include the specified values.
SY-SUBRC = 4
Authorization check not successful.
One or more authorizations were found for the authorization object
in the user master record and they include the value sets,
but not the values specified, or incorrect authorization fields or too many fields were specified.
SY-SUBRC = 12
No authorization was found for the authorization object in the user master record.
SY-SUBRC = 24
This return code is no longer set.
SY-SUBRC = 40
An invalid user ID was specified in user.

The question now is how to assign the authorization to user?

We have to create a new role Y_EXAMPLE (or assign the object to an existing role) in TCode PFCG. After
we set the new role's name and description, we go to tab Authorizations and click on button Change
Authorization Data

We don't want to use a role template so we press cancel on Template selection screen and the main screen
called Change Role: Authorizations is displayed.

This time we add the authorization object manually and we set the value of field ACTIVE to 'X'

Once you SAVE the changes, you are asked to assign the profile name - enter valid profile name and press
the Generate button

Now we have the Authorization Role, Authorization Profile, Authorization Object and its fields ready to be
used. We just have to select users who will be granted with the new Authorization role or Profile. To assign
this new role to a user:

1. Run TCode SU01

2. Go to change mode for the selected user
3. Navigate to tab Roles
4. Assign him with the new role Y_EXAMPLE you just created
5. Save changes

If we now try to run the same ABAP code as in the beginning, we should see the following result:
Restrict Table View/Edit for TCode SM30 / SM16 or your own Z/Y
TCode
Antoher business screnario might be restricting user access to usage of TCode SM30 or SE16 or your own
created Z/Y TCode just for limited list of tables. Such list of tables is given by assignment of the required
tables to an Authorization group.

You either already have an authorization group created or you can create a new one in TCode SE54 -> select
Authorization Groups radio button + click on button Change/Create

Assignment of a table to an Authorization group can be done either:

Directly in change mode in TCode SE11 (Top menu -> Utilities -> Assign Authorization Group)
In TCode SE54 -> Assign Authorization Group radio button + click on Change/Create button

Restricting the access to such tables (assigned to an Authorization group, e.g. Y001) can be done by creating
a Role, where there must at least two objects be included:

Objekt S_TCODE
o Object is part of Authorization class AAAB (Cross-application Authorization Objects)
o Field TCD (Transaction Code) = SM30 (or your own Z/Y- TCode created for your table
maintenance)
Objekt S_TABU_DIS
o Object is part of Authorization class BC_A (Basis: Administration)
o Field DICBERCLS (Table Authorization Group) = Y001
o Field ACTVT (Activity) = 02 (Change), 03 (Display)