There are several ways to get all the required authorization objects associated to a transaction code. But it is not necessary to do so normally because SAP maintained this relationship internally. If you add the TCODE in one role, all the required authorization objects will be pulled to the profile automatically and you can assign or change the values for each authorization field.
1. TCODE: ST01- trace the authorization
2. TCODE: SU24 – Maintain the Assignment of Authorization Objects
3. From the table USOBT(Relation transaction > authorization object) table TSTCA(Values for transaction code authorizations)
Custom TCODE & custom authorization object
If we develop some add-on programs and assign them some custom TCODE. There are authorization checks in the programs. We definitely can add these authorization check manually into the profile, but it will take much time and fallible. The security team might miss some custom authorization objects when building the roles.
It will be a good manner to maintain the relationship between custom TCODE and custom authorization object. When security team build the roles, he/she can simply add the custom TCODE to the role, the required authorization objects will be derived into the profile automatically.
How to…?
Go to TCODE SU24 – Maintain the Assignment of Authorization Objects.
Enter the custom TCODE name and execute the program. In the next screen, add the custom authorization objects to this TCODE.
We need to create the RFC communication user when one SAP system wants to communicate with another SAP system or an external system needs to access the SAP system. These users might be granted SAP_ALL and SAP_NEW profiles. But this method has the potential security issue. This user account can be abused for some other purpose in the production system and doesn’t adhere to the company security policy.
This post will help to guide our audience how to build the minimized role for the RFC communication user.
Read more…
I write a program for my customer to upload file to SAP application server.The program runs well on test server.
But authority problem happens when it comes to production environment.
So I collect some information about the authority to open dataset.
SAP use the authority object S_DATASET to control the write and read file authority.
It contains following fields.
Read more…
Authorization object is used to control the access to different transaction code.The Authorization Object is where Permitted Activity configurations are performed against specific fields.E.g. Change (being the activity) the material’s text MAKTX (being the specififield), or Read (being the activity) a certain Customer (using Customer Number KUNNR, as the specific field).
Before a User can be granted permission by the Authorization Object, the User’s Master Record isassigned a Role, which includes a Profile.The Profile contains what is simply called the Authorization and is where the specific data for theAuthorization Object field is assigned to the configured Permitted Activity. E.g. Allow changes to anyMaterial Text, or read Customers between the ranges.
Below is code example to demonstrate how to perform authority check in ABAP.
* start of change - add custom code to check the authorization object ZFI_PLANT
DATA: lt_t001w TYPE TABLE OF t001w,
ls_t001w TYPE t001w.
SELECT * INTO TABLE lt_t001w
FROM t001w
WHERE werks IN sp$00002.
LOOP AT lt_t001w INTO ls_t001w.
AUTHORITY-CHECK OBJECT 'ZFI_PLANT'
ID 'ACTVT' FIELD '03'
ID 'WERKS' FIELD ls_t001w-werks.
IF sy-subrc <;>; 0.
MESSAGE e000(zrpt) WITH 'You do not have the authorization to'
'access plant'
ls_t001w-werks.
ENDIF.
ENDLOOP.
* end of change - add custom code to check the authorization object ZFI_PLANTThis is a great document about the authorization concept in SAP.You can download here.
Some useful transaction to view the authorization objects
S_BCE_68001413 – Authorization Objects by Complex Selection Criteria
S_BCE_68001410 – By Object Name, Text
S_BCE_68001411 – By Object Class
S_BCE_68001412 – By Field, Text
These transactions location under below path in SAP menu: Tools -> Administration -> User Maintenance -> Information System -> Authorization Objects.