SlideShare a Scribd company logo

Authorization objects a simple guide

Albert Shumov
Albert Shumov

The document provides a guide to creating and using authorization objects in SAP systems in the simplest way. It explains how to create an authorization field, authorization class and object. It then demonstrates how to create a role, profile and authorization to control user permissions. The guide codes an authorization check in ABAP and provides steps to test the authorization configuration.

1 of 15
Download to read offline
SDN Contribution Authorization Objects – A Simple Guide Applies to: Netweaver 2004s Web Application Server SPS7 Summary This guide is intended to demonstrate how to create and use the Authorization Concept in the most simplest of conditions. It is based on the Netweaver Web Application Server, and will utilize a table available in all R/3 systems. Author(s): Glen Spalding Company: gingle Ltd Created on: 24th May 2006 Author Bio There did not appear to be any simple guide and explanation on how to create authorizations in the most simplest manner. Therefore, I thought I would create this basic guide that, I hope, explains the main principles and tasks needed for the beginner. This Authorization Object method should only be utilized in the most basic of uses. © 2006 SAP AG 1
Table of Contents Introduction ...................................................................................................................................... 3 Scenario........................................................................................................................................... 4 Create Authorization Field ............................................................................................................... 5 Create Authorization Class & Object ............................................................................................... 6 Create Role, Profile & Authorization................................................................................................ 9 Assign Role to User ....................................................................................................................... 12 Code the Authorization Check ....................................................................................................... 13 Testing ........................................................................................................................................... 14 Copyright........................................................................................................................................ 15 © 2006 SAP AG 2
Introduction The Authorization Object mechanism is used to inspect the current user’s privileges for specific data selection and activities from within a program. An Object Class contains one or more Authorization Objects. Object Class - XYZ Authorization Object Authorization Object A C Authorization Object B The Authorization Object is where Permitted Activity configurations are performed against specific fields. E.g. Change (being the activity) the material’s text – MAKTX (being the specific field), or Read (being the activity) a certain Customer (using Customer Number – KUNNR, as the specific field). Before a User can be granted permission by the Authorization Object, the User’s Master Record is assigned a Role, which includes a Profile. The Profile contains what is simply called the Authorization and is where the specific data for the Authorization Object’s field is assigned to the configured Permitted Activity. E.g. Allow changes to any Material Text, or read Customers between the ranges “AA100” & “BB999”. Object Class User Master Record Authorization Authorization Object Object Authorization Role Object Role Role Profile Authorization Authorization Authorization Finally the calling of the Authorization Object can me performed in code. © 2006 SAP AG 3
Scenario We will be using table “TSTC” – Transaction Codes, which should exist in any R/3 version. The screen shots are taken from the SAP Netweaver 2004s Release 7. We will demonstrate the selection of a record from this table, and due to the privileges revoked from the user, via an Authorization Object, the selection will be denied. We will create a specific Authorization Field for which the check will be made against. Then the Authorization Class and Authorization Object, in which the Field previously mentioned is added. A new Role and Profile will contain the actual Authorization for data. The Role will be assigned to the User Master Data. Finally the Authorization Object will be called in Code. © 2006 SAP AG 4
Create Authorization Field Transaction – SU20 Create a new Authorization Field by clicking on the Create button. Enter “ZTCODE” and “TCODE” in the Field Name and Data Element, then Enter. Notice the “Use in Authorization Objects” area at the bottom of the display. Naturally, as we have just created this Field, it is not yet utilized in any Authorization Object. Save, a “Local Object” will suffice. The Field has now been created for use in any Authorization Object. © 2006 SAP AG 5
Create Authorization Class & Object Transaction – SU21 Create a new Authorization Class (Object Class) by clicking on the Create button’s drop down icon, then select “Object Class”. Enter the new Object Class name, give it a description and Save. Again, saving as a “Local Object” will suffice. We now have the Object Class to add the new Authorization Object. Select the newly created Object Class, and perform a similar action to before. Click on the Create button’s drop down, this time selecting “Authorization Object”. © 2006 SAP AG 6
In the Authorization Object’s create screen, enter a Name, and description. Under the section “Authorization fields” enter two Field names. One being “ACTVT”, this is going to be responsible for the activities that will be permissible, and the other “ZTCODE” which is the Authorization Field, created earlier. Note: If a suitable Authorization Field already exists, it is possible to re-use it. However, for this example, we are assuming it did not, to give exposure to all necessary tasks involved when dealing with Authorization Objects. Be careful when navigating this screen, as it is a bit buggy. Now press the “Permitted activities” button, at the bottom of the Create Authorization Object screen, to begin configuring what actions can be taken against our new field ZTCODE. Save when prompted. At the next popup, simply press the tick, button to continue. Now we should be at the Define Values for the ACTVT field, where we will select 01, 02, and 03. Save and exit. All out Authorization Objects have now been created. Back out ALL THE WAY and check the creation and configuration in display mode. © 2006 SAP AG 7
Having assigned the Authorization Field to the Authorization Object just created. Return back to the Authorization Field – SU20, and check that the Field is actually assigned. Double click in the “ZTCODE” Authorization Field line On the next screen in the “Use in Authorization Objects” section, see the assignment. © 2006 SAP AG 8
Create Role, Profile & Authorization Transaction – PFCG We now have to create a Role, in which a new Profile will be added, and also an Authorization will be added that is responsible for permitting activities against specific data(fields) in the database – the actual authorization. Enter a Role name and press the create Role button, then supply a description and Save. On the Authorizations tab, in the “Maintain Authorization Data and Generate Profiles” area, press the “Change Authorization Data” button. On the next popup screen – “Choose Template”, select the “Do not select templates” option. © 2006 SAP AG 9
We are now in the Authorizations area where we will add specific activities to field data. Press the button “Manually”, ( Ctrl + Shift + F9 ) and enter the Authorization Object “Z_TCODE” created earlier. Select the Tick button to continue. Expand all nodes. Press the edit icon or line, of the “Activity” entry. Select all three Activities that were earlier permitted, and Save. Now select the edit icon or line, of the “Transaction Code” entry, and enter “SE01” in the “From” field, and Save. © 2006 SAP AG 10
This current Authorization will permit a Create, Change, or Read activity against ‘SE01’ data, in the field ZTCODE, which is based on the Data Element TCODE. So wherever TCODE is used, e.g. in table TSTC, we can now being to utilize the Authorization Object Z_TCODE. Generate the Authorization using the generation button. Accept the default values for the Profile which will be created. Return to the previous Role screen, and notice that we now have a Profile assigned to our Role, in the “Information About Authorization Profile” area. That completes the Role, Profile, and Authorization creation and configuration. © 2006 SAP AG 11
Assign Role to User Transaction – SU01 Note: It is not in scope to explain how to create a user, so either, create a suitable user now, or select an appropriate one, so that the Role can be assigned. Also, make sure the user is able to execute a program in SE38, as this is how the Authorization will be tested and demonstrated. Choose the User, and in Edit mode, select the Roles tab. Assign the Role recently created, press Enter and Save. Note: If the User is currently logged on, the User will have to log off and on again before the new Role assignment can be utilized. © 2006 SAP AG 12
Code the Authorization Check Create the program as seen below to test the Authorization. Note the Authorization check with the syntax beginning AUTHORITY-CHECK and the checking of the sy-subrc. Also, the ‘03’ literal that is being passed into the Object check field “ACTVT” which denotes a “read”, and the p_tcode parameter being passed into the Object check field “ZTCODE” which represents the actual data, wishing to “read”. REPORT zauth_check_demo. DATA: wa_tstc TYPE tstc. PARAMETERS: p_tcode TYPE tcode. AUTHORITY-CHECK OBJECT 'Z_TCODE' ID 'ACTVT' FIELD '03' " read access ID 'ZTCODE' FIELD p_tcode. " actual value IF sy-subrc EQ 0. " check authorization * fetch record SELECT SINGLE * FROM tstc INTO wa_tstc WHERE tcode EQ p_tcode. WRITE:/ wa_tstc-tcode, wa_tstc-pgmna, wa_tstc-dypno, wa_tstc-menue, wa_tstc-cinfo, wa_tstc-arbgb. ELSE. * bad authorization WRITE:/ 'Bad Authorization'. ENDIF. © 2006 SAP AG 13
Testing Transaction – SE38 with appropriate Test User, that has been given the Role previously created. Execute the program above, in this case ZAUTH_CHECK_DEMO. Enter an permitted value and run the program. Result Now enter any other value, and see the difference Result © 2006 SAP AG 14
Copyright © Copyright 2006 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. These materials are provided “as is” without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party web pages. Any software coding and/or code lines/strings (“Code”) included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally or grossly negligent. © 2006 SAP AG 15

Recommended

Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.info
sapdocs. info
 
Lsmw ppt in SAP ABAP
Lsmw ppt in SAP ABAPLsmw ppt in SAP ABAP
Lsmw ppt in SAP ABAP
Aabid Khan
 
Bapi step-by-step
Bapi step-by-stepBapi step-by-step
Bapi step-by-step
mateenjambagi
 
Enhancing data sources with badi in SAP ABAP
Enhancing data sources with badi in SAP ABAPEnhancing data sources with badi in SAP ABAP
Enhancing data sources with badi in SAP ABAPAabid Khan
 
Sap basis made easy
Sap basis made easySap basis made easy
Sap basis made easy
Durga Balaji M
 
Enhancement technique how to use validations
Enhancement technique how to use validationsEnhancement technique how to use validations
Enhancement technique how to use validations
Ugeshkumarnetha Dasari
 
Delete completely pm_data
Delete completely pm_dataDelete completely pm_data
Delete completely pm_data
Piyush Bose
 
ABAP Event-driven Programming &Selection Screen
ABAP Event-driven Programming &Selection ScreenABAP Event-driven Programming &Selection Screen
ABAP Event-driven Programming &Selection Screen
sapdocs. info
 

Recommended

Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.info
sapdocs. info
 
Lsmw ppt in SAP ABAP
Lsmw ppt in SAP ABAPLsmw ppt in SAP ABAP
Lsmw ppt in SAP ABAP
Aabid Khan
 
Bapi step-by-step
Bapi step-by-stepBapi step-by-step
Bapi step-by-step
mateenjambagi
 
Enhancing data sources with badi in SAP ABAP
Enhancing data sources with badi in SAP ABAPEnhancing data sources with badi in SAP ABAP
Enhancing data sources with badi in SAP ABAPAabid Khan
 
Sap basis made easy
Sap basis made easySap basis made easy
Sap basis made easy
Durga Balaji M
 
Enhancement technique how to use validations
Enhancement technique how to use validationsEnhancement technique how to use validations
Enhancement technique how to use validations
Ugeshkumarnetha Dasari
 
Delete completely pm_data
Delete completely pm_dataDelete completely pm_data
Delete completely pm_data
Piyush Bose
 
ABAP Event-driven Programming &Selection Screen
ABAP Event-driven Programming &Selection ScreenABAP Event-driven Programming &Selection Screen
ABAP Event-driven Programming &Selection Screen
sapdocs. info
 
Abap reports
Abap reportsAbap reports
Abap reportsMilind Patil
 
Guide to Configure Custom SD Output Types in S/4HANA Using BRF+
Guide to Configure Custom SD Output Types in S/4HANA Using BRF+Guide to Configure Custom SD Output Types in S/4HANA Using BRF+
Guide to Configure Custom SD Output Types in S/4HANA Using BRF+
Ashish Saxena
 
SAP Legacy System Migration Workbench (LSMW): Introduction
SAP Legacy System Migration Workbench (LSMW): IntroductionSAP Legacy System Migration Workbench (LSMW): Introduction
SAP Legacy System Migration Workbench (LSMW): Introduction
Jonathan Eemans
 
2122706 - Delivered quantity of production order is not updated correctly if ...
2122706 - Delivered quantity of production order is not updated correctly if ...2122706 - Delivered quantity of production order is not updated correctly if ...
2122706 - Delivered quantity of production order is not updated correctly if ...
Ricardo Ishida
 
T codes sap-basis-training
T codes sap-basis-trainingT codes sap-basis-training
T codes sap-basis-trainingmunnasap007
 
Fb08 individual document reversal
Fb08 individual document reversalFb08 individual document reversal
Fb08 individual document reversal
Farooq Wangde
 
SAP Basis Overview
SAP Basis OverviewSAP Basis Overview
SAP Basis Overview
maxsoftsolutions
 
Business Partner S4HANA.pdf
Business Partner S4HANA.pdfBusiness Partner S4HANA.pdf
Business Partner S4HANA.pdf
erikotsuji
 
Sap query creation & transcation code creation for sap query
Sap query creation & transcation code creation for sap querySap query creation & transcation code creation for sap query
Sap query creation & transcation code creation for sap query
SURESH BABU MUCHINTHALA
 
Sap query for task list data extraction
Sap query for task list data extractionSap query for task list data extraction
Sap query for task list data extraction
Srinivasa Rao Mullapudi
 
Sap configuration-guide
Sap configuration-guideSap configuration-guide
Sap configuration-guideGovind Vikram Aggarwal
 
Chapter 01 user exits
Chapter 01 user exitsChapter 01 user exits
Chapter 01 user exitsKranthi Kumar
 
Table maintenance generator and its modifications
Table maintenance generator and its modificationsTable maintenance generator and its modifications
Table maintenance generator and its modifications
scribid.download
 
Bapi programming
Bapi programmingBapi programming
Bapi programmingSamannaya Roy
 
Fi user manual
Fi user manualFi user manual
Fi user manualRaheem Baksh
 
Using idoc method in lsmw
Using idoc method in lsmwUsing idoc method in lsmw
Using idoc method in lsmwKonstantinidis Antonis
 
SAP BW Introduction.
SAP BW Introduction.SAP BW Introduction.
SAP BW Introduction.
Deloitte India (Offices of the US)
 
SAP BW - Data store objects
SAP BW - Data store objectsSAP BW - Data store objects
SAP BW - Data store objects
Yasmin Ashraf
 
100 sap basis_interviwe_questions
100 sap basis_interviwe_questions100 sap basis_interviwe_questions
100 sap basis_interviwe_questionsbhaskarbi
 
SAP Fiori ppt
SAP Fiori pptSAP Fiori ppt
SAP Fiori ppt
Pushkar Vinchurkar
 
Practical guide for sap security
Practical guide for sap security Practical guide for sap security
Practical guide for sap security
Siva Pradeep Bolisetti
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsTL Technologies - Thoughts Become Things
 

More Related Content

What's hot

Guide to Configure Custom SD Output Types in S/4HANA Using BRF+
Guide to Configure Custom SD Output Types in S/4HANA Using BRF+Guide to Configure Custom SD Output Types in S/4HANA Using BRF+
Guide to Configure Custom SD Output Types in S/4HANA Using BRF+
Ashish Saxena
 
SAP Legacy System Migration Workbench (LSMW): Introduction
SAP Legacy System Migration Workbench (LSMW): IntroductionSAP Legacy System Migration Workbench (LSMW): Introduction
SAP Legacy System Migration Workbench (LSMW): Introduction
Jonathan Eemans
 
2122706 - Delivered quantity of production order is not updated correctly if ...
2122706 - Delivered quantity of production order is not updated correctly if ...2122706 - Delivered quantity of production order is not updated correctly if ...
2122706 - Delivered quantity of production order is not updated correctly if ...
Ricardo Ishida
 
T codes sap-basis-training
T codes sap-basis-trainingT codes sap-basis-training
T codes sap-basis-trainingmunnasap007
 
Fb08 individual document reversal
Fb08 individual document reversalFb08 individual document reversal
Fb08 individual document reversal
Farooq Wangde
 
SAP Basis Overview
SAP Basis OverviewSAP Basis Overview
SAP Basis Overview
maxsoftsolutions
 
Business Partner S4HANA.pdf
Business Partner S4HANA.pdfBusiness Partner S4HANA.pdf
Business Partner S4HANA.pdf
erikotsuji
 
Sap query creation & transcation code creation for sap query
Sap query creation & transcation code creation for sap querySap query creation & transcation code creation for sap query
Sap query creation & transcation code creation for sap query
SURESH BABU MUCHINTHALA
 
Sap query for task list data extraction
Sap query for task list data extractionSap query for task list data extraction
Sap query for task list data extraction
Srinivasa Rao Mullapudi
 
Chapter 01 user exits
Chapter 01 user exitsChapter 01 user exits
Chapter 01 user exitsKranthi Kumar
 
Table maintenance generator and its modifications
Table maintenance generator and its modificationsTable maintenance generator and its modifications
Table maintenance generator and its modifications
scribid.download
 
SAP BW Introduction.
SAP BW Introduction.SAP BW Introduction.
SAP BW Introduction.
Deloitte India (Offices of the US)
 
SAP BW - Data store objects
SAP BW - Data store objectsSAP BW - Data store objects
SAP BW - Data store objects
Yasmin Ashraf
 
100 sap basis_interviwe_questions
100 sap basis_interviwe_questions100 sap basis_interviwe_questions
100 sap basis_interviwe_questionsbhaskarbi
 
SAP Fiori ppt
SAP Fiori pptSAP Fiori ppt
SAP Fiori ppt
Pushkar Vinchurkar
 

What's hot (20)

Abap reports
Abap reportsAbap reports
Abap reports
 
Guide to Configure Custom SD Output Types in S/4HANA Using BRF+
Guide to Configure Custom SD Output Types in S/4HANA Using BRF+Guide to Configure Custom SD Output Types in S/4HANA Using BRF+
Guide to Configure Custom SD Output Types in S/4HANA Using BRF+
 
SAP Legacy System Migration Workbench (LSMW): Introduction
SAP Legacy System Migration Workbench (LSMW): IntroductionSAP Legacy System Migration Workbench (LSMW): Introduction
SAP Legacy System Migration Workbench (LSMW): Introduction
 
2122706 - Delivered quantity of production order is not updated correctly if ...
2122706 - Delivered quantity of production order is not updated correctly if ...2122706 - Delivered quantity of production order is not updated correctly if ...
2122706 - Delivered quantity of production order is not updated correctly if ...
 
T codes sap-basis-training
T codes sap-basis-trainingT codes sap-basis-training
T codes sap-basis-training
 
Fb08 individual document reversal
Fb08 individual document reversalFb08 individual document reversal
Fb08 individual document reversal
 
SAP Basis Overview
SAP Basis OverviewSAP Basis Overview
SAP Basis Overview
 
Business Partner S4HANA.pdf
Business Partner S4HANA.pdfBusiness Partner S4HANA.pdf
Business Partner S4HANA.pdf
 
Sap query creation & transcation code creation for sap query
Sap query creation & transcation code creation for sap querySap query creation & transcation code creation for sap query
Sap query creation & transcation code creation for sap query
 
Sap query for task list data extraction
Sap query for task list data extractionSap query for task list data extraction
Sap query for task list data extraction
 
Sap configuration-guide
Sap configuration-guideSap configuration-guide
Sap configuration-guide
 
Chapter 01 user exits
Chapter 01 user exitsChapter 01 user exits
Chapter 01 user exits
 
Table maintenance generator and its modifications
Table maintenance generator and its modificationsTable maintenance generator and its modifications
Table maintenance generator and its modifications
 
Bapi programming
Bapi programmingBapi programming
Bapi programming
 
Fi user manual
Fi user manualFi user manual
Fi user manual
 
Using idoc method in lsmw
Using idoc method in lsmwUsing idoc method in lsmw
Using idoc method in lsmw
 
SAP BW Introduction.
SAP BW Introduction.SAP BW Introduction.
SAP BW Introduction.
 
SAP BW - Data store objects
SAP BW - Data store objectsSAP BW - Data store objects
SAP BW - Data store objects
 
100 sap basis_interviwe_questions
100 sap basis_interviwe_questions100 sap basis_interviwe_questions
100 sap basis_interviwe_questions
 
SAP Fiori ppt
SAP Fiori pptSAP Fiori ppt
SAP Fiori ppt
 

Viewers also liked

Practical guide for sap security
Practical guide for sap security Practical guide for sap security
Practical guide for sap security
Siva Pradeep Bolisetti
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP Security
Nasir Gondal
 
SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRC
techgurusuresh
 
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
NextLabs, Inc.
 
Sap00 1 - Základní ovládání sap
Sap00 1 - Základní ovládání sapSap00 1 - Základní ovládání sap
Sap00 1 - Základní ovládání sap
ITICA
 
Free goods
Free goodsFree goods
Free goods
Azhar Iqbal
 
CSI tools SAP Authorization Presentation TROOPERS 2014
CSI tools SAP Authorization Presentation TROOPERS 2014CSI tools SAP Authorization Presentation TROOPERS 2014
CSI tools SAP Authorization Presentation TROOPERS 2014CSI tools
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0
Latha Kamal
 
Dialog programming ABAP
Dialog programming ABAPDialog programming ABAP
Dialog programming ABAP
Jefferson Mutuva
 
FS for FICO
FS for FICOFS for FICO
FS for FICO
sadasivab
 
Manual basis sap_r3
Manual basis sap_r3Manual basis sap_r3
Manual basis sap_r3
Criszh90
 
Functional specification document_template
Functional specification document_templateFunctional specification document_template
Functional specification document_templateIsabel Elaine Leong
 
Basic settings Of SAP Fi
Basic settings Of SAP FiBasic settings Of SAP Fi
Basic settings Of SAP FiLav Kumar
 
Summarisation levels in SAP COPA
Summarisation levels in SAP COPASummarisation levels in SAP COPA
Summarisation levels in SAP COPA
Rajesh Shanbhag
 
Day5 R3 Basis Security
Day5 R3 Basis SecurityDay5 R3 Basis Security
Day5 R3 Basis Security
Guang Ying Yuan
 
Functional specification of sap
Functional specification of sapFunctional specification of sap
Functional specification of sap
Saptechies
 
SAP HCM authorisations: streamline processes and improve HR data security
SAP HCM authorisations: streamline processes and improve HR data securitySAP HCM authorisations: streamline processes and improve HR data security
SAP HCM authorisations: streamline processes and improve HR data security
Sven Ringling
 
Co product costing detailed trng
Co product costing detailed trngCo product costing detailed trng
Co product costing detailed trng
Venkat Reddy
 

Viewers also liked (20)

Practical guide for sap security
Practical guide for sap security Practical guide for sap security
Practical guide for sap security
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systems
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP Security
 
SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRC
 
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
 
Sap00 1 - Základní ovládání sap
Sap00 1 - Základní ovládání sapSap00 1 - Základní ovládání sap
Sap00 1 - Základní ovládání sap
 
Free goods
Free goodsFree goods
Free goods
 
Pensum adm
Pensum admPensum adm
Pensum adm
 
CSI tools SAP Authorization Presentation TROOPERS 2014
CSI tools SAP Authorization Presentation TROOPERS 2014CSI tools SAP Authorization Presentation TROOPERS 2014
CSI tools SAP Authorization Presentation TROOPERS 2014
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0
 
Dialog programming ABAP
Dialog programming ABAPDialog programming ABAP
Dialog programming ABAP
 
FS for FICO
FS for FICOFS for FICO
FS for FICO
 
Manual basis sap_r3
Manual basis sap_r3Manual basis sap_r3
Manual basis sap_r3
 
Functional specification document_template
Functional specification document_templateFunctional specification document_template
Functional specification document_template
 
Basic settings Of SAP Fi
Basic settings Of SAP FiBasic settings Of SAP Fi
Basic settings Of SAP Fi
 
Summarisation levels in SAP COPA
Summarisation levels in SAP COPASummarisation levels in SAP COPA
Summarisation levels in SAP COPA
 
Day5 R3 Basis Security
Day5 R3 Basis SecurityDay5 R3 Basis Security
Day5 R3 Basis Security
 
Functional specification of sap
Functional specification of sapFunctional specification of sap
Functional specification of sap
 
SAP HCM authorisations: streamline processes and improve HR data security
SAP HCM authorisations: streamline processes and improve HR data securitySAP HCM authorisations: streamline processes and improve HR data security
SAP HCM authorisations: streamline processes and improve HR data security
 
Co product costing detailed trng
Co product costing detailed trngCo product costing detailed trng
Co product costing detailed trng
 

Similar to Authorization objects a simple guide

Authorization objects a simple guide.doc (1)
Authorization objects a simple guide.doc (1)Authorization objects a simple guide.doc (1)
Authorization objects a simple guide.doc (1)
Vikram Polinati
 
Oracle BPM 11g Lesson 2
Oracle BPM 11g Lesson 2Oracle BPM 11g Lesson 2
Oracle BPM 11g Lesson 2
Rakesh Gujjarlapudi
 
What is sap security
What is sap securityWhat is sap security
What is sap security
grconlinetraining
 
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
HakTrak Cybersecurity Squad
 
Personalization in webcenter portal
Personalization in webcenter portalPersonalization in webcenter portal
Personalization in webcenter portal
Vinay Kumar
 
Amazon Rekognition Workshop
Amazon Rekognition WorkshopAmazon Rekognition Workshop
Amazon Rekognition Workshop
Amazon Web Services
 
Introduction on sap security
Introduction on sap securityIntroduction on sap security
Introduction on sap security
yektek
 
2.business object repository
2.business object repository2.business object repository
2.business object repositoryAjay Kumar ☁
 
Azure data factory security
Azure data factory securityAzure data factory security
Azure data factory security
MikeBrassil1
 
Flex3 Deep Dive Final
Flex3 Deep Dive FinalFlex3 Deep Dive Final
Flex3 Deep Dive Final
RJ Owen
 
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
James Gallagher
 
Flavours - Classic/Technical BDD
Flavours - Classic/Technical BDDFlavours - Classic/Technical BDD
Flavours - Classic/Technical BDD
David Harrison
 
Creation of derive roles with secatt
Creation of derive roles with secattCreation of derive roles with secatt
Creation of derive roles with secatt
Roberto B.
 
Testing the frontend
Testing the frontendTesting the frontend
Testing the frontend
Heiko Hardt
 
QTP Functions
QTP FunctionsQTP Functions
QTP Functions
Praveen Gorantla
 
Build UI of the Future with React 360
Build UI of the Future with React 360Build UI of the Future with React 360
Build UI of the Future with React 360
RapidValue
 
Df12 Performance Tuning
Df12 Performance TuningDf12 Performance Tuning
Df12 Performance Tuning
Stuart Bernstein
 
157265792-Advanced-Features-of-SAP-BW-Reporting-Authorizations.pdf
157265792-Advanced-Features-of-SAP-BW-Reporting-Authorizations.pdf157265792-Advanced-Features-of-SAP-BW-Reporting-Authorizations.pdf
157265792-Advanced-Features-of-SAP-BW-Reporting-Authorizations.pdf
RobertMarcinov1
 
Abap proxies
Abap proxiesAbap proxies
Abap proxies
szchowdhury
 
Microsoft identity platform and device authorization flow to use azure servic...
Microsoft identity platform and device authorization flow to use azure servic...Microsoft identity platform and device authorization flow to use azure servic...
Microsoft identity platform and device authorization flow to use azure servic...
Sunil kumar Mohanty
 

Similar to Authorization objects a simple guide (20)

Authorization objects a simple guide.doc (1)
Authorization objects a simple guide.doc (1)Authorization objects a simple guide.doc (1)
Authorization objects a simple guide.doc (1)
 
Oracle BPM 11g Lesson 2
Oracle BPM 11g Lesson 2Oracle BPM 11g Lesson 2
Oracle BPM 11g Lesson 2
 
What is sap security
What is sap securityWhat is sap security
What is sap security
 
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
 
Personalization in webcenter portal
Personalization in webcenter portalPersonalization in webcenter portal
Personalization in webcenter portal
 
Amazon Rekognition Workshop
Amazon Rekognition WorkshopAmazon Rekognition Workshop
Amazon Rekognition Workshop
 
Introduction on sap security
Introduction on sap securityIntroduction on sap security
Introduction on sap security
 
2.business object repository
2.business object repository2.business object repository
2.business object repository
 
Azure data factory security
Azure data factory securityAzure data factory security
Azure data factory security
 
Flex3 Deep Dive Final
Flex3 Deep Dive FinalFlex3 Deep Dive Final
Flex3 Deep Dive Final
 
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
 
Flavours - Classic/Technical BDD
Flavours - Classic/Technical BDDFlavours - Classic/Technical BDD
Flavours - Classic/Technical BDD
 
Creation of derive roles with secatt
Creation of derive roles with secattCreation of derive roles with secatt
Creation of derive roles with secatt
 
Testing the frontend
Testing the frontendTesting the frontend
Testing the frontend
 
QTP Functions
QTP FunctionsQTP Functions
QTP Functions
 
Build UI of the Future with React 360
Build UI of the Future with React 360Build UI of the Future with React 360
Build UI of the Future with React 360
 
Df12 Performance Tuning
Df12 Performance TuningDf12 Performance Tuning
Df12 Performance Tuning
 
157265792-Advanced-Features-of-SAP-BW-Reporting-Authorizations.pdf
157265792-Advanced-Features-of-SAP-BW-Reporting-Authorizations.pdf157265792-Advanced-Features-of-SAP-BW-Reporting-Authorizations.pdf
157265792-Advanced-Features-of-SAP-BW-Reporting-Authorizations.pdf
 
Abap proxies
Abap proxiesAbap proxies
Abap proxies
 
Microsoft identity platform and device authorization flow to use azure servic...
Microsoft identity platform and device authorization flow to use azure servic...Microsoft identity platform and device authorization flow to use azure servic...
Microsoft identity platform and device authorization flow to use azure servic...
 

Authorization objects a simple guide

  • 1. SDN Contribution Authorization Objects – A Simple Guide Applies to: Netweaver 2004s Web Application Server SPS7 Summary This guide is intended to demonstrate how to create and use the Authorization Concept in the most simplest of conditions. It is based on the Netweaver Web Application Server, and will utilize a table available in all R/3 systems. Author(s): Glen Spalding Company: gingle Ltd Created on: 24th May 2006 Author Bio There did not appear to be any simple guide and explanation on how to create authorizations in the most simplest manner. Therefore, I thought I would create this basic guide that, I hope, explains the main principles and tasks needed for the beginner. This Authorization Object method should only be utilized in the most basic of uses. © 2006 SAP AG 1
  • 2. Table of Contents Introduction ...................................................................................................................................... 3 Scenario........................................................................................................................................... 4 Create Authorization Field ............................................................................................................... 5 Create Authorization Class & Object ............................................................................................... 6 Create Role, Profile & Authorization................................................................................................ 9 Assign Role to User ....................................................................................................................... 12 Code the Authorization Check ....................................................................................................... 13 Testing ........................................................................................................................................... 14 Copyright........................................................................................................................................ 15 © 2006 SAP AG 2
  • 3. Introduction The Authorization Object mechanism is used to inspect the current user’s privileges for specific data selection and activities from within a program. An Object Class contains one or more Authorization Objects. Object Class - XYZ Authorization Object Authorization Object A C Authorization Object B The Authorization Object is where Permitted Activity configurations are performed against specific fields. E.g. Change (being the activity) the material’s text – MAKTX (being the specific field), or Read (being the activity) a certain Customer (using Customer Number – KUNNR, as the specific field). Before a User can be granted permission by the Authorization Object, the User’s Master Record is assigned a Role, which includes a Profile. The Profile contains what is simply called the Authorization and is where the specific data for the Authorization Object’s field is assigned to the configured Permitted Activity. E.g. Allow changes to any Material Text, or read Customers between the ranges “AA100” & “BB999”. Object Class User Master Record Authorization Authorization Object Object Authorization Role Object Role Role Profile Authorization Authorization Authorization Finally the calling of the Authorization Object can me performed in code. © 2006 SAP AG 3
  • 4. Scenario We will be using table “TSTC” – Transaction Codes, which should exist in any R/3 version. The screen shots are taken from the SAP Netweaver 2004s Release 7. We will demonstrate the selection of a record from this table, and due to the privileges revoked from the user, via an Authorization Object, the selection will be denied. We will create a specific Authorization Field for which the check will be made against. Then the Authorization Class and Authorization Object, in which the Field previously mentioned is added. A new Role and Profile will contain the actual Authorization for data. The Role will be assigned to the User Master Data. Finally the Authorization Object will be called in Code. © 2006 SAP AG 4
  • 5. Create Authorization Field Transaction – SU20 Create a new Authorization Field by clicking on the Create button. Enter “ZTCODE” and “TCODE” in the Field Name and Data Element, then Enter. Notice the “Use in Authorization Objects” area at the bottom of the display. Naturally, as we have just created this Field, it is not yet utilized in any Authorization Object. Save, a “Local Object” will suffice. The Field has now been created for use in any Authorization Object. © 2006 SAP AG 5
  • 6. Create Authorization Class & Object Transaction – SU21 Create a new Authorization Class (Object Class) by clicking on the Create button’s drop down icon, then select “Object Class”. Enter the new Object Class name, give it a description and Save. Again, saving as a “Local Object” will suffice. We now have the Object Class to add the new Authorization Object. Select the newly created Object Class, and perform a similar action to before. Click on the Create button’s drop down, this time selecting “Authorization Object”. © 2006 SAP AG 6
  • 7. In the Authorization Object’s create screen, enter a Name, and description. Under the section “Authorization fields” enter two Field names. One being “ACTVT”, this is going to be responsible for the activities that will be permissible, and the other “ZTCODE” which is the Authorization Field, created earlier. Note: If a suitable Authorization Field already exists, it is possible to re-use it. However, for this example, we are assuming it did not, to give exposure to all necessary tasks involved when dealing with Authorization Objects. Be careful when navigating this screen, as it is a bit buggy. Now press the “Permitted activities” button, at the bottom of the Create Authorization Object screen, to begin configuring what actions can be taken against our new field ZTCODE. Save when prompted. At the next popup, simply press the tick, button to continue. Now we should be at the Define Values for the ACTVT field, where we will select 01, 02, and 03. Save and exit. All out Authorization Objects have now been created. Back out ALL THE WAY and check the creation and configuration in display mode. © 2006 SAP AG 7
  • 8. Having assigned the Authorization Field to the Authorization Object just created. Return back to the Authorization Field – SU20, and check that the Field is actually assigned. Double click in the “ZTCODE” Authorization Field line On the next screen in the “Use in Authorization Objects” section, see the assignment. © 2006 SAP AG 8
  • 9. Create Role, Profile & Authorization Transaction – PFCG We now have to create a Role, in which a new Profile will be added, and also an Authorization will be added that is responsible for permitting activities against specific data(fields) in the database – the actual authorization. Enter a Role name and press the create Role button, then supply a description and Save. On the Authorizations tab, in the “Maintain Authorization Data and Generate Profiles” area, press the “Change Authorization Data” button. On the next popup screen – “Choose Template”, select the “Do not select templates” option. © 2006 SAP AG 9
  • 10. We are now in the Authorizations area where we will add specific activities to field data. Press the button “Manually”, ( Ctrl + Shift + F9 ) and enter the Authorization Object “Z_TCODE” created earlier. Select the Tick button to continue. Expand all nodes. Press the edit icon or line, of the “Activity” entry. Select all three Activities that were earlier permitted, and Save. Now select the edit icon or line, of the “Transaction Code” entry, and enter “SE01” in the “From” field, and Save. © 2006 SAP AG 10
  • 11. This current Authorization will permit a Create, Change, or Read activity against ‘SE01’ data, in the field ZTCODE, which is based on the Data Element TCODE. So wherever TCODE is used, e.g. in table TSTC, we can now being to utilize the Authorization Object Z_TCODE. Generate the Authorization using the generation button. Accept the default values for the Profile which will be created. Return to the previous Role screen, and notice that we now have a Profile assigned to our Role, in the “Information About Authorization Profile” area. That completes the Role, Profile, and Authorization creation and configuration. © 2006 SAP AG 11
  • 12. Assign Role to User Transaction – SU01 Note: It is not in scope to explain how to create a user, so either, create a suitable user now, or select an appropriate one, so that the Role can be assigned. Also, make sure the user is able to execute a program in SE38, as this is how the Authorization will be tested and demonstrated. Choose the User, and in Edit mode, select the Roles tab. Assign the Role recently created, press Enter and Save. Note: If the User is currently logged on, the User will have to log off and on again before the new Role assignment can be utilized. © 2006 SAP AG 12
  • 13. Code the Authorization Check Create the program as seen below to test the Authorization. Note the Authorization check with the syntax beginning AUTHORITY-CHECK and the checking of the sy-subrc. Also, the ‘03’ literal that is being passed into the Object check field “ACTVT” which denotes a “read”, and the p_tcode parameter being passed into the Object check field “ZTCODE” which represents the actual data, wishing to “read”. REPORT zauth_check_demo. DATA: wa_tstc TYPE tstc. PARAMETERS: p_tcode TYPE tcode. AUTHORITY-CHECK OBJECT 'Z_TCODE' ID 'ACTVT' FIELD '03' " read access ID 'ZTCODE' FIELD p_tcode. " actual value IF sy-subrc EQ 0. " check authorization * fetch record SELECT SINGLE * FROM tstc INTO wa_tstc WHERE tcode EQ p_tcode. WRITE:/ wa_tstc-tcode, wa_tstc-pgmna, wa_tstc-dypno, wa_tstc-menue, wa_tstc-cinfo, wa_tstc-arbgb. ELSE. * bad authorization WRITE:/ 'Bad Authorization'. ENDIF. © 2006 SAP AG 13
  • 14. Testing Transaction – SE38 with appropriate Test User, that has been given the Role previously created. Execute the program above, in this case ZAUTH_CHECK_DEMO. Enter an permitted value and run the program. Result Now enter any other value, and see the difference Result © 2006 SAP AG 14
  • 15. Copyright © Copyright 2006 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. These materials are provided “as is” without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party web pages. Any software coding and/or code lines/strings (“Code”) included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally or grossly negligent. © 2006 SAP AG 15