Authorization
Authorization
The Authorization in SAP protects transactions, programs, and services in SAP systems from
unauthorized access.
On the Basis of Authorization concept, the administrator assigns authorizations to the users that
determine which actions a user can execute in the SAP system, after he or she logged on to the
system and authenticated himself or herself.
Authorization Object
Authorization Object is a method of restricting users to access any particular application created in
the system. It will be denying user for viewing confidential data on screen or denying access to
certain transactions.
example Suppose we have a Ztable in our system that consists of confidential data. Which can not be
accessed by all users. Only authorized persons can have access to the data. So, in case these tables
are being used in any program, for display/write purpose, that program would be executed only by
Authorized users. Please make sure to disable Table Entries, while creating tables, and not to create
any Table Maintenance Generator also. Only this program would be used to perform read/write
operations on the table.
Authorization Field
Authorization field contains the value that you have defined. It is connected to the data elements
stored with the ABAP dictionary.
Steps:
1. Creating Object Class T-Code SU21.
2. Creating Authorization Object Which contains Authorization field. You can create
authorization field in SU20 or while creating authorization object also you can create.
3. Creating a Role T-Code PFCG.
4. Assigning Authorization object to the role and generating the profile.
5. Create custom program using Authority-check.
Object Class: Object class Contains one or more Authorization Objects. All authorization objects are
allocated to exactly one class. This has no functional but allocating character. We will need this
object class to encapsulate the authorization object that we will be creating.
The below screen appears and enter the Object Class name and Save.
Object Class contain many authorization objects and select Authorization Object.
The below screen appears, provide the Object name, text and class name is already
created and click on Field maintenance. You can create authorization field in SU20
also.
Add the two-authorization field one is ZCARRID and ACTVT and select save button.
ACTVT: ACTVT is a standard field within SAP Table tact that stores Activity
information like create, change, display.
Select Permitted Activities button.
You can select as many activities and click on save. Here I took display authorization.
The next step is to create a role in T-Code PFCG, inside which we will attach our
authorization Object.
Enter the role and click on Single Role button.
What is Role: role is assigned to an users the user menu that is displayed after they
log on to the sap system. Roles also contain the authorizations that users can use to
access the transaction, reports, Web-based applications.
Single Role: is created with the profile generator and allows the automatic
generation of an authorization profile. The role contains the authorization data and
the logon menu for the user.
Press f4 and you can select any number of Airline code. Here I have selected AA and
press continue and click on save button.
Do same for ACTVT and select display and click on save button.
Then generate the profile by clicking on generate icon.
Finally, you come out of the screen pressing back button. And you will see the
authorizations tab with a green symbol, meaning, authorization object has been
assigned and the role can be used.
After these steps click on the User tab and provide the User Id and click on User
Comparison button.
The Authorization and User tab with a green symbol, means you have successfully
created the authorization and assigned the role to the user.
Create custom program using Authority-check.
Authority-check: Authority Check is the statement used in an ABAP program to perform an
authorization check against an authorization object. This statement will return sy-subrc is 4 if user
has not authorized.
Authorization in CDS View
We all know how authorization works in ABAP using ABAP statement AUTHORITY-CHECK, In CDS
View has its own authorization concept CDS access controls using a data control language (DCL).
DCL (Data Control Language): DCL is used to define the authorization for the CDS View which
controls access to the data retrieved based on user.
First step, we can create an implementation CDS View (SPFLI) from this table.
@AbapCatalog.sqlViewName: 'ZMMAUTH'
@AbapCatalog.compiler.compareFilter: true
@AbapCatalog.preserveKey: true
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: 'Authorization Check'
define view ZMM_Authorization as select from spfli {
//spfli
key carrid,
connid,
cityfrom,
cityto
}
@MappingRole: true
Role is implicitly to all users
Grant select on This is the CDS View on which data restriction are to be applied
through a DCL.
Aspect pfcg_auth This is the place to include the authorization object and
authorization fields on which it is applied with the ACTVT permitted activities. The
possible value of ACTVT for that authorization object can be seen in TCODE SU21 as shown below. As
most CDS views are used for reading, 03 is used which is for display.