Académique Documents
Professionnel Documents
Culture Documents
The authorizations for users are created using roles and profiles. The administrator
creates the roles, and the system supports him or her in creating the associated authorizations.
Authorization
A
B Object Class Authorization Object
Create, Change,Display
SUPER
User Master
Maintenance: User
B
Groups
Display
Basis Admin Activity
Finance
User Group
Authorization objects allow complex checks that involve multiple conditions that allow
a user to perform an action. An authorization is always associated with exactly one authorization
object and contains the value for the fields for the authorization objects.
When the user calls a transaction, the system checks whether the use has an
authorization in the user context that allows him/her to call the selected transaction.
Authorization checks use the authorizations in the user context.
All the authorizations are permissions. There are no authorizations for prohibiting. Everything
that is not explicitly allowed is forbidden.
The user gets the necessary authorization through Roles. The role also contains the
authorizations users need to access the transactions, reports, web-based applications and so on,
contained in the menu.
The details of user administration is specified in my other BOOK “User Administration in SAP
R3 System”.
SAP Authorization Concept Modules
The SAP authorization concept modules are color-coded in the hierarchy display.
The basic SAP authorization concept terms are displayed below, before you specify the authorization field
values. The colors of the SAP authorization concept modules are the standard colors in the following
hierarchy display.
Explanation of terms:
Object class Object classes have an orange background in the hierarchy display.
Authorization objects Authorization objects have a green background in the hierarchy display.
01,02 activity
Authorizations allow you to specify any number of values or value ranges for a
field. You can also allow all values, or allow an empty field as a permissible
value.
Changes: All users with this authorization in their authorization profile are
affected.
Profile User authorizations are not usually assigned directly to user master records,
but grouped together in authorization profiles.
You can create profiles manually, but you should use the Profile generator.
Changes only take effect when the user next logs on. Users who are logged on
when the change takes place are not affected in their current session.
User Master Record These enable the user to log onto the SAP System and allow access to the
functions and objects in it within the limits of the specified authorization profiles.
Changes only take effect when the user next logs on. Users who are logged on
when the change takes place are not affected in their current session.
In the example a user whose user master record contains the profile
T_58000097 can perform the activities in the profile authorizations.
When a transaction is called, a system program makes various checks to ensure that the user has the
appropriate authorization.
The authorization object S_TCODE (call transaction) contains the field TCD (transaction code). The user
must have an authorization with a value for the selected transaction code.
Does the transaction code have an authorization object? If so, a check is made that the user has
authorization for this authorization object.
If one of this checks fails, the transaction is not called and the system sends a message.
If the transaction is called, it calls an ABAP program which makes further authorization checks with the
AUTHORITY-CHECK command. The programmer specifies an authorization object and the required
values for each authorization field.
AUTHORITY-CHECK checks whether a user has appropriate authorization. To do this, it searches in the
specified authorization profile in the user master record to see whether the user has authorization for the
authorization object specified in the command.
If the authorization is found and it contains the correct values, the check is successful.