ARTICLE
Authorizations
Authorization checks are a means of protecting functions or objects in
an AS ABAP . The programmer of the
function determines where and how these checks are made, while the user
administrator determines who can execute a function or access an object.
The following terms are central to the
SAP authorization concept :
Authorization Field
Smallest unit in an authorization object. An authorization field either
represents data, such as a key field in a database table, or activities,
such as Read or Create. Activities are specified as identifiers, which
are stored in the database table
TACT and the customer-specific table TACTZ .
Maintenance using transaction SU20 .
Authorization Object
Repository object that forms the
basis of authorizations. An authorization object comprises up to 10
authorization fields. The combination of authorization fields, which
represent data and activities, is used for authorization assignment and
to check authorizations. Authorization objects are grouped together in
authorization classes.
Maintenance using transaction SU21 .
Authorization
Enter in the user master record or part of an authorization profile. An
authorization comprises complete or generic values for the authorization
fields in an authorization object. The combination determines the
activities with which a user can access certain data.
Generation from transaction PFCG (profile
generator for role maintenance). Display using transaction
SU03 .
Authorization Profile
Grouping of several individual authorizations. Several authorization
profiles can be assigned to an authorization. Authorizations are
assigned to users by specifying authorization profiles in the user
master record.
Generation from transaction PFCG (profile
generator for role maintenance). Display using transaction
SU02 .
User Master Record
The existence of a user master record is a prerequisite for logon to an
AS ABAP . The master record
determines which actions users are allowed to execute and which
authorizations they are assigned. Default settings, such as the format
in which decimal places are displayed in lists, are also stored in the
user master record. An authorization profile can be assigned to users as
often as you wish.
Maintenance in transaction SU01 .
Authorization Check
Check to determine whether the current program user has a certain
authorization. The check compares a value with the corresponding entries
in each authorization field in an authorization object in the user
master record. Check indicator s
control whether an authorization check is performed.
The ABAP statement for this is
AUTHORITY-CHECK .
Authorization Assignment
Creation of authorizations in the user master record.
Composite Profiles
Composite profiles were used (before the profile generator was
introduced) in manual profile maintenance (transaction
SU02 ) to structure the authorization structure, but are not
necessarily required. An authorization profile can be assigned to
composite profiles as often as you wish.
Documentation extract taken from SAP system, � Copyright SAP AG. All rights reserved