ABAP Tutorials » Authorization

Applying Multiple Authority-checks in ABAP Program

Admin — Tue, 21 Jul 2009 23:10:21 +0000

Multiple Authority-checks mainly depends on hierarchy of Authorizations apart from its dependency on the way pragrammer handles it.

Multiple Authority-checks can be of two types depending upon the programming logic and needs.

(a) A programmer can suppose, that if the first AUTHORITY-CHECK fails, the program shouldn’t test the others, but try to elaborate the next data:
LOOP AT ITAB.

   AUTHORITY-CHECK OBJECT
      ID FIELD .
IF SY-SUBRC 0.
      CONTINUE. ” Check next record
ELSE.
        AUTHORITY-CHECK OBJECT
           ID FIELD .
      IF SY-SUBRC 0.
    CONTINUE. ” Check next record
      ELSE.
          AUTHORITY-CHECK OBJECT
                 ID FIELD .
         IF SY-SUBRC 0.
     … Commands/Processing …
       ENDIF.
      ENDIF.
ENDIF.
ENDLOOP.

In this situation it’s very important the user has all authorization objects of course.

(b) In AUTHORITY-CHECK OBJECT statament only one value can be checked. So it can checks if the user has 02 or 03, not both together.

So if you give 02, the AUTHORITY-CHECK will work for 02 only.

Anway the developer can skip the check for a certain fields of a an authority object

AUTHORITY-CHECK OBJECT
ID ………………………………….
ID ACTIVITY FIELD DUMMY.

In this situation the authority-check is not dependent on value of activity.

You might also be interested in these posts:

Restricting SAP Queries from execution

Admin — Tue, 21 Jul 2009 01:48:38 +0000

You can restrict users from executing your queries, by assigning Authorization Group to Query Infoset. Now, users having the authorization to the Authorization Group can execute the Query.

The field ‘authorization group’ allows you to enter an authorization group up to eight characters long. If you specify an authorization group, it is inherited as an attribute by every report generated for a query via this InfoSet. This means that only users authorized in their user master records to execute programs from this authorization group can execute these queries. Authorization groups thus provide a way of protecting reports generated by the query from unauthorized execution.

In SQ02: Change InfoSet > Goto Global Properties > Enter in Authorization group
In SQ01: Query > More functions > Generate program

You might also be interested in these posts:

Assign/Create Authorization Group for a Table in SAP

Admin — Thu, 16 Jul 2009 00:45:50 +0000

Many times an ABAPer or Functional consultant gets the Message ‘You are not authorized to display this table’, when viewing tables, even ZTables. Tables by defualt are created with Authorization Object S_TABU_DIS and Authorization Group &NC&.

Basis Team, as part of Audit/security may not allow this authorization on Tables.

To tackle the situation, you must assign a different Authorization Group (apart from &NC&), and get viewing authorization on that Group from Basis Team.

Steps:
Go to SE54, Give the table name and choose authorization group and then click on create/change. You can create an authorization group.

: Assign / Create Authorization Group

For Example:
You can assign a table to authorization group Z001. (Use transaction SM30 for table TDDAT) A user that wants to access this table must have
authorization object S_TABU_DIS in his or her profile with the value Z001
in the field DICBERCLS (authorization group for ABAP Dictionary objects).

You might also be interested in these posts: