D3a-1ABAP 程式設計 楊子青

Create and Use the Authorization Objects in ABAP

Authorization Check– Authorization Objects are used to manipulate

the current user’s privileges for specific data selection and activities from within a program.

– http://help.sap.com/saphelp_bw33/helpdata/en/52/67167f439b11d1896f0000e8322d00/frameset.htm

– http://www.richardsantos.net/2009/03/16/sap-how-to-create-and-use-the-authorization-objects-in-abap/

D3a-2ABAP 程式設計 楊子青

Authorization Checks in ABAP Programs

D3a-3ABAP 程式設計 楊子青

Authorization Objects and Authorizations

D3a-4ABAP 程式設計 楊子青

Authorization - Check

D3a-5ABAP 程式設計 楊子青

Implementing Authorization Checks in Programs

D3a-6ABAP 程式設計 楊子青

Authorization Check

(1) create authorization fields (2) create authorization class (3) create authorization object (4) create a role (5) authorization in ABAP program

D3a-7ABAP 程式設計 楊子青

(1) create authorization fields

Go to transaction code SU20 Click the create new button on the

application toolbar. Enter “ZTCODE” in the Field Name and

“TCODE” in the Data Element, then hit Enter.

Click the save button on the system toolbar.

D3a-8ABAP 程式設計 楊子青

(2) create authorization class

Go to transaction code SU21 Click on the Create button’s drop down

icon and select “Object Class”. Enter “ZTRN” on the Object Class field. Give it a description and save it.

D3a-9ABAP 程式設計 楊子青

(3) create authorization object Again in SU21, in the list of authorization

class(folder icon), click the one that we’ve created(ZTRN).

Click on the Create buttodrop down, this time selecting “Authorization Object”.

Enter “Z_TCODE” on the Object field and give it a description.

On the authorization fields section, enter ACTVT and ZTCODE. ACTVT is used to set and limit the activity of the user, while the ZTCODE is the authorization field that we’ve created earlier which is responsible for holding a list of tcodes.

D3a-10ABAP 程式設計 楊子青

create authorization object

On the Further Authorization Object Settings, click on “Permitted activities” button. Here we will select the specific activities that we want to be available for our authorization object.

As an example, we will select 01(Create), 02(Change), and 03(Display).

Save and Exit.

D3a-11ABAP 程式設計 楊子青

(4) create a role

Go to transaction code PFCG. Enter “ZAUTHTEST” on Role field and click the “Single

Role” button. Now give it a description, click the save button and click

the Authorization tab. Click the “Change Authorization Data” button inside the

authorization tab. Then click the “Manually” button on the application

toolbar and type in the name of the authorization object that we’ve created earlier(”Z_TCODE”) and press enter.

Expand all the nodes, double click on the input field of the Activity and select activity 01 and 02.

D3a-12ABAP 程式設計 楊子青

create a role

Enter the tcode of our own abap program in ZTCODE field, in our example I used “ZCOMM” .

And also don’t forget to add the S_TCODE authorization object and enter ZCOMM on it’s field.

Now Click on the Generate button in the application toolbar and press enter on the pop-up screen.

press the back button and assign a specific user on the user tab and click User Comparison button.

Now create another role by repeating steps 1 to 9 but this time select activity 03 on step 6.

Then assign this 2nd role to another user.

D3a-13ABAP 程式設計 楊子青

(5) authorization in ABAP program

AUTHORITY-CHECK OBJECT ‘Z_TCODE’ “authorization object that we’ve created

ID ‘ACTVT’ FIELD ‘01’ “Activity = 01, authorized to create

ID ‘ZTCODE’ FIELD ‘ZCOMM. “tcodes that we wants to check for authorization

IF sy-subrc EQ 0. CALL SCREEN 1000. “The user is authorized to

create ELSE. CALL SCREEN 2000. “User is not authorized to create

(Display only) ENDIF.