Scribd Logo
Upload

Welcome to Scribd!

  • Authority Check

    Uploaded by

    jaccabi
    24 views9 pages
    Authorization checks in program and SAP authorization principles

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Authorization checks in program and SAP authorization principles

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    24 views9 pages

    Authority Check

    Uploaded by

    jaccabi
    Authorization checks in program and SAP authorization principles

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    Chapter 09

    Authorization Checks
    SAP authorization principles
    Authorization checks in programs

    SAP AG

    Chapter 09

    Objectives
    Understanding SAP authorizations
    Performing authorization checks in program s

    SAP AG

    SAP Authorization Principles


    Authorization 'Display'
    for object S_CARRID
    CARRID: *

    Object: S_CARRID

    ACTVT: Display

    CARRID (Airline carrier)


    ACTVT (Activity)

    Authorization 'Change'
    for object S_CARRID
    CARRID: LH
    ACTVT: Change

    SAP AG

    All data in the R/3 System must be protected against access by unauthorized users.
    Authorizations are assigned in user master maintenance. You can determine explicitly which data a
    user should be able to access and what type of access is possible. For example, you may want a user
    to be able to display the data of all airline carriers, but not be authorized to make any changes. During
    each authorization check, the system checks the activity and airline carrier fields. When defining
    authorizations, you must specify values for these fields (for example, activity Change and airline
    carrier '
    LH'or activity '
    Display'
    , airline '
    *'
    ). To do this, you need to create an authorization object
    consisting of the '
    activity'and '
    airline carrier'fields and address this object both when you assign
    authorizations in user master records and when you perform authorization checks in programs.
    Authorization objects themselves only define the combination of fields to be addressed simultaneously
    and serve as templates for both authorizations and authorization checks. To make the maintenance and
    identification of authorization objects easier, they are combined to form object classes. One or more
    classes are assigned to an application. From the Development menu on the initial screen of the
    ABAP/4 Development Workbench, you can access the maintenance transaction for authorization
    objects and display a list of all objects with their corresponding fields and documentation.

    Authorization Checks in Programs

    REPORT RSAAA09A.
    .
    .
    .
    AUTHORITY-CHECK
    OBJECT 'S_CARRID'
    ID 'CARRID' FIELD 'LH'
    ID 'ACTVT' FIELD '02'.
    IF SY-SUBRC NE 0.
    ...
    ENDIF.

    check

    return result

    object S_CARRID
    ACTVT
    03
    02

    01

    AA DA

    D L LH UA

    CARRID

    SAP AG

    When making authorization checks in programs, you specify the object and the values the user needs
    in an authorization to be able to access the object. You do not have to specify the name of the
    authorization.
    The above example checks whether the user is authorized for the object S_CARRID which has the
    value '
    LH'in the field CARRID (airline carrier) and the value '
    02'for '
    Change'in the field ACTVT
    (activity). The abbreviations for the possible activities are documented in the tables TACT and
    TACTZ and also in the appropriate objects.
    Important: The AUTHORITY-CHECK statement performs the authorization check and returns an
    appropriate return code value. When reading this return code, you can specify yourself the
    consequences of a missing authorization (for example, program terminates or skips some output lines).

    AUTHORITY-CHECK Syntax

    AUTHORITY-CHECK OBJECT <authorization object>


    ID <authorization field1> FIELD <required value>
    ID <authorization field2> FIELD <required value>
    ....
    ID <authorization fieldn> DUMMY.
    IF SY-SUBRC NE 0.
    ...
    ENDIF.

    SAP AG

    Under AUTHORITY-CHECK, you must specify all the fields of the object. Otherwise, the system
    returns a value other than zero. If you do not want to perform checks for a particular field, you enter
    DUMMY after the field.
    Example: When calling a change transaction, it makes sense to check whether the user is authorized to
    change the data of a particular flight connection:
    AUTHORITY-CHECK OBJECT '
    S_CARRID'
    ID '
    ACTVT'FIELD '
    02'
    ID '
    CARRID'DUMMY.
    The most important return code values of AUTHORITY-CHECK are:
    0: The user has an authorization with the required values.
    4: The user does not have the required authorization.
    8: Not all the fields of the authorization object have been specified, so the check could not be
    performed.
    For a complete list of return code values, please refer to the online documentation for AUTHORITYCHECK.
    After the FIELD option, you can only append one single field, not a selection table. You can use
    function modules to perform the AUTHORITY-CHECK for all values of the selection table.

    Summary
    Selection

    SELECT

    AUTHORITY
    CHECK

    SY-SUBRC
    =0?

    User master
    records

    No

    Yes
    SELECT

    Message

    SAP AG

    You perform an authorization check for each record read with SELECT. The AUTHORITY-CHECK
    statement first checks whether the user has the authorization containing all the required values. You
    then read the return code value in the system field SY-SUBRC. If this value is 0, the user has the
    required authorization and the program can continue. If the value is something other than 0, the user
    does not possess the required authorization and the system outputs an appropriate message.
    Later in this course, you will learn how to make fields on the selection screen ready for input again if
    you perform the authorization check right after the selection screen, and how to output a message if
    the user does not have the required authorization.

    Chapter 09

    Summary
    Since the SELECT statement does not perform any
    authorization checks, you must program these yourself
    with AUTHORITY-CHECK. By doing this, you can protect
    any functions and objects in the R/3 System from
    unauthorized access.

    SAP AG

    Exercise Chapter 9: Authorization Check


    1. Name of your report:
    ##:
    Development class:

    ZBCA##I1
    Group number
    $TMP (local)

    Task:
    Copy your solution to Chapter 8, Exercise 1 or the example
    solution and complete the authorization check for the airline
    carrier.
    If the authorization check is positive, display the data from
    Exercise 8.1. If the user does not have the authorization,
    output the appropriate message text.
    Note:
    The authorization is checked against the object S_CARRID.

    Solution Chapter 9: Authorization Check


    1. REPORT RSAAA091.
    TABLES: SPFLI.
    SELECT-OPTIONS: SGES FOR SPFLI-CARRID DEFAULT AATOLH.

    SELECT * FROM SPFLI WHERE CARRID IN SGES


    ORDER BY CARRID CITYFROM CITYTO.

    AUTHORITY-CHECK OBJECT S_CARRID


    ID CARRID_FIELD SPFLI-CARRID
    ID ACTVT_FIELD 03.
    IF SY-SUBRC NE 0.
    WRITE: /

    10 SPFLI-CARRID, TEXT-002.

    WRITE: /

    10 SPFLI-CARRID,

    ELSE.

    20 SPFLI-CONNID,
    30 SPFLI-CITYFROM,
    50 SPFLI-CITYTO.
    ENDIF.

    ENDSELECT.
    IF SY-SUBRC NE 0.
    WRITE: /
    ENDIF.

    TEXT-001.

    You might also like