How to Create an Authorization Object in SAP

An Authorization Check Scenario and Creation is the process of a programmer wondering how to create an authorization object in SAP.  

This is done to check authorization before any bookings for business customers can be altered or changed. To begin, the programmer needs to create an authorization field (ACTVT and CUSTTYPE) and then assign, for each field,  the defined value to be checked (02, B).

The programmers must create an authorization object (here S_TRVL_BKS ) and assign it to an object class. You can generate authorization fields under Tools >>ABAP Workbench >>Development >>Other tools>> Authorization objects>>Objects (transaction SU21). 

You can create authorization objects in the Object Navigator (transaction SE80). As a programmer, you program the authorization check by using the ABAP statement AUTHORITY-CHECK: >>AUTHORITY-CHECK OBJECT ‘S_TRVL_BKS’ >>ID ‘ACTVT’ FIELD ’02’ >>ID ‘CUSTTYPE’ FIELD ‘B’. >>IF SY-SUBRC <> 0. >>MESSAGE E… >>ENDIF. 

The work of AUTHORITY-CHECK is to check whether a user has the required authorization to execute an activity. The system checks the user’s master record for authorization profiles and matching authorization objects (S_TRVL_BKS ). The check is successful if found to be positive and with the correct values. 

The following authorizations have been defined for the authorization object by the system administrator S_TRVL_BKS: S_TRVL_CUS1 with these values: customer type ( CUSTTYPE field) 02 for activity (field: ACTVT ). Users who have this authorization can change bookings for all customers. S_TRVL_CUS2 with these values: B for customer type ( CUSTTYPE ), 03 for activity ( ACTVT ). 

Any user with this authorization can display all customer bookings. Remember that the system administrator assigned different authorizations to various users when assigning profiles. Suppose a user was assigned a profile with both authorizations ( S_TRVL_CUS1 and S_TRVL_CUS2 ). That user can, therefore, change bookings for business customers. 

Other users are authorized to display the records only ( S_TRVL_CUS2 ) and cannot change bookings. Creating Authorization Fields What you must understand in authorization objects is that authorization fields represent the respective values to be tested appropriately during authorization checks. As such, to create authorization fields, select Tools >>ABAP Workbench>>Development>>Other tools>>Authorization objects>>Fields. 

In addition, create an authorization field: Select Create authorization field. Then, on the next screen, key in the field’s name, which must be unique, and begin with the letter “Y” or “Z.” Then, assign a data element (from the ABAP Dictionary) to the field. 

If needed, enter a check table for the possible entries. Remember that when created, each authorization object must be assigned to a specific object class. Choose Tools>>ABAP Workbench>>Development>>Other tools>>Authorization objects>>Objects. You can also create authorization objects using the Object Navigator (SE80). 

Creating/Choosing Object Classes At this point, the system displays a list of object classes that exist, organized in line with the components of the system. Before creating a new object, define the object class for the specific component you are working on. However, these objects are not overwritten whenever you install updated/new releases. 

If you wish, you can also define your own object classes. If you do so, choose class names that start with Y or Z to avoid any conflicts with SAP names. Create an Object  Start by entering a unique object name and the respective fields that belong to that object. 

Object names must start with the letter Y or Z to comply with the naming convention for the program’s customer-specific objects. You may enter up to 10 authorization fields within an object definition. 

Also, enter a description of that object and create documentation for it. Ensure the object definition matches the appropriate AUTHORITY-CHECK calls that refer to that particular object. 

How do you create authorization objects in SAP? Just do not change/alter or delete authorization objects that SAP defines because this disables SAP programs from using the objects. After you create an authorization object, you can regenerate the profile SAP_ALL.