How to Create an Authorization Object in SAP

An Authorization Check Scenario and Creation is the process of a programmer who is wondering how to create authorization object in SAP.  This is done in order to make an authorization check before any bookings for business customers can be altered or changed.

To begin, the programmer needs to create an authorization field ( ACTVT and CUSTTYPE ) and then assign, for each field,  the defined value to be checked ( 02, B ).

The programmers also needs to create an authorization object (here S_TRVL_BKS ) and then assign it to an object class.

You can create authorization fields under Tools >>ABAP Workbench >>Development >>Other tools>> Authorization objects>>Objects (transaction SU21). You can also create authorization objects in the Object Navigator (transaction SE80).

As a programmer, you program the authorization check by using the ABAP statement AUTHORITY-CHECK:

>>AUTHORITY-CHECK OBJECT ‘S_TRVL_BKS’

>>ID ‘ACTVT’ FIELD ’02’

>>ID ‘CUSTTYPE’ FIELD ‘B’.

>>IF SY-SUBRC <> 0.

>>MESSAGE E…

>>ENDIF.

The work of AUTHORITY-CHECK is to check whether a user has the required authorization to execute an activity.

The system checks in the user’s master record for authorization profiles and matching authorization object (S_TRVL_BKS ). If found to be positive and with the correct values, then the check is successful.

The following authorizations has defined for the authorization object by the system administrator S_TRVL_BKS:

S_TRVL_CUS1 with these values:

customer type ( CUSTTYPE field)

02 for activity (field: ACTVT )

Users who have this authorization can change bookings for all customers.

S_TRVL_CUS2 with these values:

B for customer type ( CUSTTYPE )

03 for activity ( ACTVT ).

Any user with this authorization can display all customer bookings.

Remember that when assigning profiles, the system administrator assigned different authorizations to various users.

Suppose a user  was assigned a profile with both of these authorizations ( S_TRVL_CUS1 and S_TRVL_CUS2 ). That user can therefore be able to change bookings for business customers.

Another user, on the other hand, has authorization to display the records only ( S_TRVL_CUS2 ) and cannot change bookings whatsoever.

Creating Authorization Fields

What you have to understand in authorization objects is that authorization fields represent the respective values that are to be tested appropriately during authorization checks.

As such, to create authorization fields, select Tools >>ABAP Workbench>>Development>>Other tools>>Authorization objects>>Fields.

In addition, create an authorization field:

Select Create authorization field. Then, on the next screen, key in the name of the field, which must be unique and begin with the letter “Y” or “Z.”

Then assign a data element (from the ABAP Dictionary) to the field. If needed, enter a check table for the possible entries.

Remember that each authorization object must be assigned to a specific object class when created.

Choose Tools>>ABAP Workbench>>Development>>Other tools>>Authorization objects>>Objects. You can also use the Object Navigator (SE80) to create authorization objects.

Creating/Choosing Object Classes

At this point, the system displays a list of object classes that exist, organized in line with the components of the system.

Before creating a new object, first define the object class for the specific component in which you are working. However, these objects are not overwritten whenever you install updated/new releases.

If you wish, you can also define your own object classes. Should you do so, choose class names that start with Y or Z in order to avoid any conflicts with SAP names whatsoever.

Creating an Object 

Start by entering a unique object name and the respective fields that belong to that object. Note that Object names must start with the letter Y or Z to comply with the naming convention for the program’s customer-specific objects.

You may enter up to 10 authorization fields within an object definition. Also enter a description of that object and even create documentation for it.

Make sure the object definition matches the appropriate AUTHORITY-CHECK calls that refer to that particular object.

How to create authorization object in sap, just do not change/alter or delete authorization objects that are defined by SAP because this disables SAP programs using the objects. After you create an authorization object, you could regenerate the profile SAP_ALL.
 

mm
Marissa Hart is the Lead Author & Editor ShareMe. ShareMe is a blog focused on SharePoint Online. SharePoint Online delivers the powerful features of SharePoint without the associated overhead of managing the infrastructure.