Académique Documents
Professionnel Documents
Culture Documents
ADM940
SAP Authorization
Concept
Appendix:
Development of Authorization Elements
© SAP Región Sur SAP R/3 Enterprise 4.7 • SAP Web Application Server 6.20
ADM940 SAP Authorization Concept
Appendix Content:
Authorization Elements Overview.
Authorization Fields.
Authorization Object.
Organization Level for Profile Generator.
Authority Checks.
Authorization Profile.
Access to Individual Tables and Views.
User Adminitrators.
Glossary.
SAP AG 2003
Appendix Content:
Authorization Elements Overview.
Authorization Fields.
Authorization Object.
Organization Level for Profile Generator.
Authority Checks.
Authorization Profile.
Access to Individual Tables and Views.
User Adminitrators.
Glossary.
SAP AG 2003
ABAP Program
Database Table
PFCG (Menu), SE43 (Report)
use a Parameter
SE93, using Report transaction;
transaction with
PFCG (Menu), SE43 use Parameter
START_REPORT
transaction with START_REPORT)
SU01 (Roles), SU10 (Roles)
SE43, PFCG (Menu) SE93, PFCG (Menu → Report) SE11 ( V i e w )
SE43, PFCG
PFCG (User) (Menu)
Menu Area Transaction View
SE93
PFCG PFCG
(Using Parameter
(Menu) SE43 (Description
transaction with
for Derived
SE93 SE16 or SM30)
Role) SE11 (View s )
(Using
SU01, SU10 PFCG
parameter
SU01 (Roles) ,
transaction)
SU10 (Roles)
USER ROLE
PFCG
(Description for Derived Role;
PFCG (User) Roles for Composite Role )
PFCG
(Authorization)
SU01 (Roles), SU10 (Roles)
PFCG (Authorization) PFCG_ORGFIELD_CREATE
n IMPORTANT TRANSACTIONS:
For additional information, see transactions SU*, PF*, SM*.
PFCG Role maintenance1
PFUD User Master Data Reconciliation: Schedule
PFCG_TIME_DEPENDENCY
RZ10 Maintenance of Profile Parameters
SA38 ABAP Reporting
SE11 ABAP/4 Dictionary Maintenance
SE12 ABAP/4 Dictionary Display
SE13 Technical Settings
SE16 Data Display/Maintenance (Data Browser)
SE38 ABAP Editor
SE43 Maintain Area Menu
1
In older releases, this description is Profile Generator or Activity Group Maintenance.
Appendix Content:
Authorization Elements Overview.
Authorization Fields.
Authorization Object.
Organization Level for Profile Generator.
Authority Checks.
Authorization Profile.
Access to Individual Tables and Views.
User Adminitrators.
Glossary.
SAP AG 2003
n In authorization objects, authorization fields represent the values to be tested during authorization checks.
n The authorization field are content into R/3’ transparent table AUTHX. This table is cross-client. Thus, the
authorization field must be unique in the system because the must be unique in that table.
n To maintain authorization fields, choose Tools→ ABAP Workbench→ Development→ Other Tools→
Authorization Objects→ Fields, or execute Transaction SU20. The initial screen show:
• A tool bar include the follow buttons to maintain authorization fields:
ð Create :
To add a new authorization field to the table AUTHX.
ð Display:
To display data of an existing authorization field;
ð Find :
To search an authorization field in the list Authorization check fields;
ð Change:
To change data of an existing authorization field.
ð Delete :
To delete an existing authorization field. You cannot delete an authorization field get used in an
authorization object.
© SAP Región Sur 9
ADM940 SAP Authorization Concept
n To create an authorization field press the Create button in the previous screen. Then, in the above screen:
• Enter the name of the field (Field name ):
Field names must be unique. SAP recommend that this name begin with the letter Y or Z.
• Assign a data element from the ABAP Dictionary to the field (Data element):
The data element contribute to authorization field with a display description and a domain. For this reason,
SAP recommend create a special data element for a new authorization field. Pressing enter appears the
domain of linked to the entered data element.
• If desired, enter a Check Table, Value Table or Search Help for the possible entries (field Table Name
under the Maintenance Dialog for Authorization Values section). The connection provides possible field
values. Values ranges can also be defined using the domain with which a field is associated.
• Finally, press the Save button and exit with the Back button.
n In the initial screen, you can to find a new authorization field using the Find button.
Appendix Content:
Authorization Elements Overview.
Authorization Fields.
Authorization Object.
Organization Level for Profile Generator.
Authority Checks.
Authorization Profile.
Access to Individual Tables and Views.
User Adminitrators.
Glossary.
SAP AG 2003
n For documentation purpose, the Authorization Object are classify in Authorization Object Class (or simply
Object Class). Each Authorization Object must be assigned to an Object Class when it is created.
n To maintain Object Class and Authorization Object choose Tools→ ABAP Workbench→ Development→
Other Tools→ Authorization Objects→ Objects , or use Transaction SU21. Then, the system displays a list of
existing object classes (see the background screen above).
• Object classes are organized according to the components of the system. Before you can create a new
authorization object, you must define the object class for the component in which you are working. If you
do so, select class names that begin with Y or Z to avoid conflicts with SAP names.
• The authorization class is cross-client.
• To create a new authorization class, press the Create button. The above front windows appear. Here you
must define:
ð An authorization class ID (Object class);
ð A description (Text).
• To save, press the Save button.
• To display the list of authorization object of a specific authorization class, in the List of Object Classes
screen select that authorization class (or double clicking).
2
n For each authorization class, a list of authorization object is displayed :
2
In our example (screen above), this list is empty because ZUSR is a new authorization class.
3
In same cases, SAP recommends to refer the technical name in any position of this description because some report (as
Transaction SU02 for manual authorization profile management) only displays this description and not the technical
name.
4
If you want to remove fields from the object, the whole authorization object must be deleted and recreated; you can add
authorization fields to the object if the object is no longer used. Only then can the corresponding fields accept data.
© SAP Región Sur 15
ADM940 SAP Authorization Concept
n You can create detailed documentation of the authorization object. In the previous screen, press the Create
object documentation button and the above screen will appear.
If you want to change authorization fields for an object, this is only possible after all authorizations the object uses and
all calls of the AUTHORITY-CHECK language commands have been deleted.
5
This property is applicable to any alphanumeric authorization field, not only to ACTVT (Activity) authorization field.
Appendix Content:
Authorization Elements Overview.
Authorization Fields.
Authorization Object.
Organization Level for Profile Generator.
Authority Checks.
Authorization Profile.
Access to Individual Tables and Views.
User Adminitrators.
Glossary.
SAP AG 2003
6
In some system, is possible that the modal window Create authorization object remain in the front of the screen. Press
Cancel button and this window will disappear.
But in the List of object of the authorization class, not will be displayed the new authorization object (ZUSERNAME, in
our example). This is because the Transaction SU21 has not automatic refresh. Restart the Transaction SU21, and select
the ZUSR object class again, and now, the ZUSERNAME will appear in the list so above screen.
SAP AG 2003
n The current maintenance status of the authorizations at the various levels is shown by Traffic Lights:
Green All fields below this level have been supplied with values. Check whether the values given are
appropriate.
Yellow Below this level, there is at least one field (but not an organizational level) for which no data has been
entered.
Red Below this level, there is at least one field for which no organizational level has been maintained.
n Sometimes, is necessary to convert common authorization fields into Organizational Field, called,
Organizational Levels Fields.
Before Maintain
SAP AG 2003
After Maintain
SAP AG 2003
SAP AG 1999
SAP AG 2003
Appendix Content:
Authorization Elements Overview.
Authorization Fields.
Authorization Object.
Organization Level for Profile Generator.
Authority Checks.
Authorization Profile.
Access to Individual Tables and Views.
User Adminitrators.
Glossary.
SAP AG 2003
No
(Check of table TSTC )
No
R/3 Transaction
Does the user has the
Is an authorization
necessary NO Continue
object assigned to the Yes
authorization?
transaction code?
(Any authorization object
(Check of table TSTCA)
can used here)
No Yes
n When a transaction is started, a system program executes various checks to ensure the user has the correct
authorizations 7 :
• Is the transaction code valid ?
The system check of table TSTC: if the answer is negative, the check fails.
• Is the transaction locked by the system administrator8 ?
The system check of table TSTC: if the answer is now positive, the check fails.
• Is the user authorized to start the authorization?
The authorization object S_TCODE (Transaction start) contains the field TCD (Transaction code). The
user must have an authorization containing a value for the transaction code: if not, the check fails.
• Is an authorization object assigned to the transaction code? If yes, is the user authorized?
If the user has not an authorization for the corresponding authorization object, the check fail;
7
All checks are executed internally with the ABAP statement AUTHORITY-CHECK.
8
To Lock/Unlock transactions in the entire system use Transaction SM01.
n If one of the above checks fails, the transaction is not started, and the system displays an error message.
n If none of the above checks fails, the transaction is started, and an ABAP program is usually called by the
transaction to make other authorization checks triggered by the statement AUTHORITY-CHECK. In the
program, in each authority check, the programmer can specify the following:
• The authorization object used and the required values for each authorization field;
• The reaction of the program if detects an authorization fault.
n To assign Authorization Object to Transaction use the transaction SE93 or choose Tools→ ABAP
9
Workbench→ Development→ Other Tools→ Transactions . In the above screen:
9
If you are creating a new transaction, enter the transaction name and press the Create button; in the appearing windows
Create Transaction, enter the required information and press the Continue Enter button. Then the above window will
appear.
10
In this example, an user will be authorized to start the transaction ZUSERNAME only if his user master record has an
authorization using the object ZUSERNAME with the field USERNAME defined as “USERNAME” and the field Activity
(ACTVT) equal to “03” (Display).
n In the above screen, the report ZUSERNAME will could to show two possible message:
11
If you are creating a new ABAP program, enter the program name press the Create button; in the appearing windows
ABAP Program attribute enter the required information and press the Save Enter button. Then the above window will
appear.
28 SAP R/3 Enterprise 4.7 • SAP Web Application Server 6.20
Apendix. Development of Authorization Elements
n The statements AUTHORITY-CHECK checks whether a user has appropriate authorization. To do this, it
searches in the specified authorization profile in the user master record to see whether the user has
authorization for the authorization object specified in the command.
12
n If the authorization is found and it contains the correct values, the check is successful .
12
In this program, an user is authorized to display his own username only if his user master record content an authorization
based on the object ZUSERNAME with the field USERNAME defined as his own username (this is, the sy-uname value)
and the field Activity (ACTVT) equal to “03” (Display).
Appendix Content:
Authorization Elements Overview.
Authorization Fields.
Authorization Object.
Organization Level for Profile Generator.
Authority Checks.
Authorization Profile.
Access to Individual Tables and Views.
User Adminitrators.
Glossary.
SAP AG 2003
• SAP_NEW:
You assign this profile to users who are to have access to all currently unprotected components. The
SAP_NEW profile assures upward compatibility of authorizations. The profile ensures that users are not
inconvenienced when a release or update includes new authorization checks for functions that were
previously unprotected.
• SAP_ALL:
You assign this profile to users who are to have all SAP authorizations, including superuser authorization.
After setting up an authorization object, or after updating your system, you can regenerate profile
SAP_ALL. Thus, this profile will have full authorization for all authorization objects in the entire system.
n If a user only has a SAP_ALL profile, when execute the Transaction ZUSERNAME is possible that a message
error (like “Authorization Failed”) will be displayed. This happens because the SAP_ALL only has full
authorization of each standard authorization object of the system, and not to customer authorization object as
ZUSERNAME (see ZUSERNAME Transaction in the previous page). To repair this position, you must
regenerate SAP_ALL.
n To regenerate SAP_ALL, in the initial screen of Transaction SU21, or in the List of Object screen of some
object class (as the above screen), press button Regenerate SAP_ALL, and next, press the Yes button in the
next windows Generate SAP_ALL profile .
n After regenerate, a new full authorization of the object ZUSERNAME was added to SAP_ALL profile.
n Is not recommendable that an end user has a profile like SAP_ALL or SAP_NEW. SAP recommend creating
specific profile for each activity assigned to user, and that, to create a new profile, use the Profile generator.
To use this tool, execute the Transaction PFCG or Tools→ Administration→ User Maintenance→ Role
Administration→ Roles.
13
n In the above screen , the definition of a authorization profile are showed with its two authorization, each one
of an specific authorization object as 14 :
• S_TCODE:
This authorization permits start the transaction ZUSERNAME to any user.
• ZUSERNAME:
This authorization can be compiled as two independent authorizations:
ð With the value “USERNAME” in the field User name and “03” in the field Activity :
Permits start the transaction ZUSERNAME to any end user due that this object is assigned to this
transaction. Too, permit to user with username USERNAME (if this exits) to see his own username
through the ABAP program ZUSERNAME.
13
To display the above window, in the initial screen of Profile Generator, enter the Role’ name; in the appearing windows,
select the Authorization tab, and press the Expert mode for profile generation button.
14
Assume that the Transaction ZUSERNAME call to ABAP program ZUSERNAME agree previous pages.
ð With the value “JUNIOR” in the field User Name and the value “03” in the field Activity :
Grant to the user JUNIOR to see his own username using the ABAP program ZUSERNAME.
Appendix Content:
Authorization Elements Overview.
Authorization Fields.
Authorization Object.
Organization Level for Profile Generator.
Authority Checks.
Authorization Profile.
Access to Individual Tables and Views.
User Adminitrators.
Glossary.
SAP AG 2003
Appendix Content:
Authorization Elements Overview.
Authorization Fields.
Authorization Object.
Organization Level for Profile Generator.
Authority Checks.
Authorization Profile.
Access to Individual Tables and Views.
User Adminitrators.
Glossary.
SAP AG 2003
Users Groups
SUPER
VHYA2HWR
SAP*
DDIC
…
VHYA2HWR
SAP*
ADM
ADMGR1
ADMGr1 ADMGR2 ADMGRx
…
ADMGRx
GR1 GRx
FI_01 HR_01
FI_02 HR_02
… ... …
FI_## HR_##
SAP AG 2003
SUPER
VHYA2HWR
SAP*
DDIC
…
VHYA2HWR
SAP*
ADM
ADMGR1
ADMGr1 ADMGR2 ADMGRx
…
ADMGRx
GR1 GRx
FI_01 HR_01
FI_02 HR_02
… ... …
FI_## HR_##
SAP AG 2003
Appendix Content:
Authorization Elements Overview.
Authorization Fields.
Authorization Object.
Organization Level for Profile Generator.
Authority Checks.
Authorization Profile.
Access to Individual Tables and Views.
User Adminitrators.
Glossary.
SAP AG 2003
Glossary
Glossary Content:
Commonly Terms Used under the contex
of this course.
Further information: in your SAP system
choosing Help→ Glossary.
ABCD
EFGHI
JKLM
NOPQ
RSTUV
WXYZ
SAP AG 2003
n Workbench Change Request Change request for recording and transporting R/3 Repository
objects and changed system settings from cross-client tables
(Client-Independent Customizing).