Authorization

The Authorization in SAP protects transactions, programs, and services in SAP systems from
unauthorized access.
On the Basis of Authorization concept, the administrator assigns authorizations to the users that
determine which actions a user can execute in the SAP system, after he or she logged on to the
system and authenticated himself or herself.

Authorization Object

Authorization Object is a method of restricting users to access any particular application created in
the system. It will be denying user for viewing confidential data on screen or denying access to
certain transactions.

example Suppose we have a Ztable in our system that consists of confidential data. Which can not be
accessed by all users. Only authorized persons can have access to the data. So, in case these tables
are being used in any program, for display/write purpose, that program would be executed only by
Authorized users. Please make sure to disable Table Entries, while creating tables, and not to create
any Table Maintenance Generator also. Only this program would be used to perform read/write
operations on the table.

Authorization Field

Authorization field contains the value that you have defined. It is connected to the data elements
stored with the ABAP dictionary.

Steps:
1. Creating Object Class T-Code SU21.
2. Creating Authorization Object Which contains Authorization field. You can create
authorization field in SU20 or while creating authorization object also you can create.
3. Creating a Role T-Code PFCG.
4. Assigning Authorization object to the role and generating the profile.
5. Create custom program using Authority-check.

To create Object class and authorization object inside object class.

Go to T-Code SU21 from create button, First select Object class.

Object Class: Object class Contains one or more Authorization Objects. All authorization objects are
allocated to exactly one class. This has no functional but allocating character. We will need this
object class to encapsulate the authorization object that we will be creating.
The below screen appears and enter the Object Class name and Save.

Object Class contain many authorization objects and select Authorization Object.
The below screen appears, provide the Object name, text and class name is already
created and click on Field maintenance. You can create authorization field in SU20
also.

Then click on Authorization Field

Provide the authorization field and data element once you click on enter button the
domain and output length will come automatically. select save button and go back.

Add the two-authorization field one is ZCARRID and ACTVT and select save button.
ACTVT: ACTVT is a standard field within SAP Table tact that stores Activity
information like create, change, display.
Select Permitted Activities button.

You can select as many activities and click on save. Here I took display authorization.
The next step is to create a role in T-Code PFCG, inside which we will attach our
authorization Object.
Enter the role and click on Single Role button.

What is Role: role is assigned to an users the user menu that is displayed after they
log on to the sap system. Roles also contain the authorizations that users can use to
access the transaction, reports, Web-based applications.

Single Role: is created with the profile generator and allows the automatic
generation of an authorization profile. The role contains the authorization data and
the logon menu for the user.

Composite Role: Consists of any number of single roles.

Provide the description and click on save.

Select the Authorization tab and click on the icon next to profile name. Once you
click on the icon system will generate a profile name and a profile text.
What is profile: A profile is the element in the authorization system. It allows a user
to access the system. For authorization check, the system checks on the particular
profile which is assigned to user for the proper authorization.

Click on the Change Authorization data and press continue.

Do not select any template.
You will see a new screen with role name on top left. Here you can add your
Authorization object that was created in SU21. Click on the Manually button.

Add the Authorization object and press enter.

Now you need to add values in your object. For those who would be given
authorization.

Click on change of ZCARRID

Press f4 and you can select any number of Airline code. Here I have selected AA and
press continue and click on save button.
Do same for ACTVT and select display and click on save button.
Then generate the profile by clicking on generate icon.
Finally, you come out of the screen pressing back button. And you will see the
authorizations tab with a green symbol, meaning, authorization object has been
assigned and the role can be used.
After these steps click on the User tab and provide the User Id and click on User
Comparison button.

Click on Complete comparison.

The user master record for all roles adjusted.
What is User master record: The user master record contains all information about
the corresponding user, including authorizations.

The Authorization and User tab with a green symbol, means you have successfully
created the authorization and assigned the role to the user.
Create custom program using Authority-check.
Authority-check: Authority Check is the statement used in an ABAP program to perform an
authorization check against an authorization object. This statement will return sy-subrc is 4 if user
has not authorized.
Authorization in CDS View
We all know how authorization works in ABAP using ABAP statement AUTHORITY-CHECK, In CDS
View has its own authorization concept CDS access controls using a data control language (DCL).

DCL (Data Control Language): DCL is used to define the authorization for the CDS View which
controls access to the data retrieved based on user.

First step, we can create an implementation CDS View (SPFLI) from this table.

@AbapCatalog.sqlViewName: 'ZMMAUTH'
@AbapCatalog.compiler.compareFilter: true
@AbapCatalog.preserveKey: true
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: 'Authorization Check'
define view ZMM_Authorization as select from spfli {
//spfli
key carrid,
connid,
cityfrom,
cityto
}

Creating an Access control with CDS.

Now we have already created Authorization object and Authorization field. We need to connect
them with our CDS View to make it recognize the DCL. To do this, in eclipse, right click on the Core
Data Service folder, click new and select access control.
Now add the below code in the Access Control. Here the Authorization Object and
Authorization field should be the same as the one which you created in the Tcode
SU21.

Inside Access Control

Annotations in DCL
@EndUserText.label: 'Access Control'
The translatable short text for role.

@MappingRole: true
Role is implicitly to all users

Define Role Provide a role name here

Grant select on This is the CDS View on which data restriction are to be applied
through a DCL.

Where This is the field which is to be restricted.

Aspect pfcg_auth This is the place to include the authorization object and
authorization fields on which it is applied with the ACTVT permitted activities. The
possible value of ACTVT for that authorization object can be seen in TCODE SU21 as shown below. As
most CDS views are used for reading, 03 is used which is for display.

@EndUserText.label: 'Access Control'

@MappingRole: true
define role ZACCESS_CONTROL {
grant
select
on
ZMM_AUTHORIZATION
 where
( CARRID ) = aspect pfcg_auth(ZSPF_CARRI, ZCARRID,
ACTVT = '03');