1 SAP Authorization concept Profiles User Maintenance
Dec 13, 2015
1
SAP Authorization concept
Profiles
User Maintenance
2
contentsauthorization object classauthorization objectauthorization object - exampleauthorizationauthorization – exampleprofileuserABAP syntaxABAP code – exampleSY-SUBRCtransaction codessteps for handling authorizationsdemonstration
3
authorization object
authorization object
authorization object
authorization object
authorization field
authorization field
authorization field
4
authorization objects - example
S_TCODE - authorization check for transaction StartTCD – transaction code
M_MATE_STA – material master maintenance statusesACTVT - activitySTATM – maintenance status of material master record
M_MATE_MAN – material master data at client levelACTVT - activity
M_MATE_BUK – material master data at company code levelACTVT – activityBUKRS – company code
5
authorization objects - example
M_MATE_WRK – material master data at plant levelACTVT - activityWERKS – plant
M_MATE_MAT – material master data at sale organization / distributionACTVT – activityVKORG – sale organizationVTWEG – distribution channel
M_MATE_MAT – material master data at authorization group levelACTVT – activityBEGRU – authorization group
6
authorization object class
authorization object class
authorization object class
authorization object class
authorization object
authorization object
authorization object
7
authorization
authorization
authorization
authorization
authorization object
authorization object
authorization object
8
authorization - exampleM_MATE_WRK01 (authorization 1)M_MATE_WRK (material master data at plant level)ACTVT (activity) : 03WERKS (plant) : 1000, 2000
M_MATE_MAT01 (authorization 1)M_MATE_MAT (material master data at sale organization / distribution)ACTVT (activity) : 01, 03VKORG (sale organization) : 100VTWEG (distribution channel) : *
F_BKPF_BUK01 (authorization 1)F_BKPF_BUK (accounting document at company code level)ACTVT (activity) : * BUKRS (company code) : *
9
profile
profile
profile
profile
authorization
authorization
authorization
10
user
user
user
user
profile
profile
profile
11
authorization structure
user1
profile2profile1
authorization2authorization1
authorization object1
authorization object field2authorization object field1
value2value1
12
ABAP syntax
AUTHORITY-CHECK OBJECT objectID name1 FIELD field1ID name2 FIELD field2……ID name10 FIELD field10.
IF SY-SUBRC <> 0.……ENDIF
13
ABAP code - example
AUTHORITY-CHECK OBJECT ‘M_MATE_MAT’ID ‘ACTVT’ FIELD ’01’ID ‘VKORG’ FIELD ‘100’ID ‘VTWEG’ FIELD ’10’.
IF SY-SUBRC <> 0.……ENDIF
14
SY-SUBRC
0 – user has required authorization4 – user has no authorization8 – too may parameters (fields, values)12 – object is not maintained in user master16 – no profile entered in user master record24 – field names do not match28 – incorrect structure for user master record32 – incorrect structure for user master record36 – incorrect structure for user master record
programmer is responsible for 8, 24 system administrator is responsible for 4, 12, 16SAP is responsible for 28, 32, 36
15
transaction codes
SU20 – authorization object fieldSU21 – authorization objectSU03 – authorizationSU02 – profileSU01 – userSU24 – authorization objects to transaction codeSE93 – transaction codeSU53 – display authorization data
16
Steps for handling authorizations
step 01 : create authorization object field (SU20) step 02 : create authorization object class (SU21) step 03 : create authorization object (SU21) step 04 : create authorization (SU03)step 05 : create profile (SU02) step 06 : assign authorization objects to a profile (SU02) step 07 : assign authorization to profile (SU02) step 08 : create user (SU01)step 09 : assign profile to user (SU01)step 10 : assign authorization object to a transaction code (SE93)step 11 : handle authorization check in ABAP program (SE38)
17
demonstrationprogram : ZSP1transaction code : ZST1authorization object : ZSAO1authorization object fields : SMT, SMG, SD
authorization : SA1authorization values for SMT : SMT1, SMT3authorization values for SMG : SMG1, SMG3authorization values for SD : D1, D3
authorization : SA2authorization values for SMT : *authorization values for SMG : *authorization values for SD : *
profile : SP1user : SU1
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80