AUTHORITY-CHECK You can use this statement at run time to check whether the user has the authorization

n to execute the specified function in his user profile profile.

Is the user authorized to call the transaction?

The authorization object S_TCODE (call transaction) contains the field TCD (transaction code). The user must have an authorization with a value for the selected transaction code.

Authority Check: In the program, the programmer specifies an authorization object and the required values for each authorization field. It then searches in the specified authorization profile in the user master record to see whether the user has authorization for the authorization object specified in the command. If the authorization is found and it contains the correct values, the check is successful.

Authorization Fields: represent

the values to be tested during authorization checks. This is the smallest unit against which checks can be made. To create authorization fields, choose Tools -> ABAP Workbench -> Development -> Other tools -> Authorization objects -> Fields OR Tcode SU20 To create a authorization field: 1. Choose Create authorization field. 2. On the next screen, enter the name of the field. Field names must be unique and must begin with the letter Y or Z. 3. Assign a data element from the ABAP Dictionary to the field. Authorization objects: An authorization object groups together 1 to 10 authorization fields which can then be checked as a combination create authorization fields by selecting Tools ABAP Workbench Development Other tools Authorization objs Objects Eg: F_BKPF_BUK Object class: Authorization objects are divided into classes for comprehensibility. An object class corresponds e.g. to an application (Financial accounting, etc.) The SAP authorization concept object classes are under Tools -> Administration -> User maintenance -> Authorizations or go to transaction SU21 Authorizations: An authorization is a combination of permitted values for each authorization field of an authorization object create authorizations by selecting Tools Administration Maintain users Authorization. Profile: User authorizations are grouped together in authorization profiles and not usually assigned directly to user master records You can create profiles manually, but you should use the Profile generator (Tcode - PFCG) Roles: Various Profiles are grouped together to form Roles that are usually assigned to the User master (Tcode PFCG) User Master Record: These enable the user to log onto the SAP System and allow access to the functions and objects in it within the limits of the specified authorization profiles

Explanation of the previous slides color codes

Create the above mentioned objects in the order specified

Authorization check The programmer can perform authorization checks with the ABAP command AUTHORITYCHECK by specifying the value to be checked for each authorization field defined. The system then scans the profiles in the user master record for the authorizations specified. If one of the authorizations found for all fields of the authorization object covers the values specified by AUTHORITY-CHECK, the check was successful. Example: Check whether the user is allowed to change the postings of business customers: If the authorization F_BKPF_BUK exists in the user's master record, the authorization check is successful.