Authorization object, User, Role, Profile, User Group and their assignment and usage in program.

This Document helps you to understand and create Authorization object for transactions, programs, and services in SAP system and not only that in addition explains procedure to create User, Role, Profile, User Group and their assignment.

Authorization Concept

Ø  Authorization concept protects transactions, programs, and services in SAP systems from unauthorized access.

Ø  Administrator assigns authorizations to the users that determine which actions a user can execute in the SAP System.

Related Transaction                                                                        

SU01      :  User creation

SU21      :  Authorization class and object creation

SUGR     : User Group creation

PFCG     :  Role and Profile creation

ST01     :   Authorization Trace

SU10     :   User Mass Maintenance

Let’s take up the task in below mentioned order

1.     Creation of Authorization Class and Object.

2.     User Creation

3.     User Group Creation and assign User

4.     Role and profile Creation

5.     Assignment of Role to user

6.     Implement Authorization check in the program and testing

1.   Creation of Authorization Class and Object.

               Go to T-code SU21

§  Click on Creation and then select Object Class

§  In the Pop-up window provide Authorization object class and click on Save.

§  Object class will be created under which authorization object should be created.

§  Select the Object class and right click and select Create Authorization Object

§  In Pop-up window provide Authorization object name and description and click on Enter.

§  Mention the Authorization fields required for Authorization object

§  In this case we include two field ACTVT and BUKRS, these might vary according to your requirement

§  After all required fields are mentioned click on SAVE and then click on PERMITTED ACTIVITIES.

§  Select the activities as per the requirement and click on SAVE.

§  Authorization object is created and click on CLOSE.

§  Authorization object can be seen under Object Class.

2. User Creation using T-code SU01

§  Enter user name and click on create button

• Provide user Last and First name

§  In Logon data tab provide user Initial Password.

§  Role and profile details will be empty.

§  Click on SAVE.  new user “ZTEST_AUTH” will be created.

3.   User group Creation : SUGR ( Assignment of User to User group is Optional )

 Ø  Users can be assigned into user groups for mass maintenance using transaction SU10.            Global User Manager (transaction SUUM) uses the user groups.

    Ø In the user maintenance transaction (SU01), you can assign users to one or more groups on the              Groups tab.

Provide user group name

§  Click on SAVE. User group will be created and user “ZTEST_AUTH” will be assigned to User group ZTEST_GROUP.

4.   Role and profile Creation

 Go to transaction PFCG

Ø  A role is used to choose a menu and create the corresponding authorization profile.

    Ø  The role can be assigned to users.

§  Provide Role name and click on Single Role.

§  In the next screen provide the description for the Role In this case “Accountant”.

§  Then go to Authorization tab and click on “CHANGE AUTHORIZATION DATA”

§  In pop-up window click on “DO NOT SELECT TEMPLATE”.

§  Click on “MANUALLY” on the next window 

§  In the pop-up window mention the authorization group created and click on enter.

§  Authorization object will be added to the Role.

§  Click on the expand as shown

§  Click on Change Activity as shown below

§  In pop-up window select the Authorization Activity for the Role and click on Save.

Then Click on Change Company code for assign “Company code” for the Role

§  Provide the Required company code and click on SAVE.

Click on Generate, For Profile creation.

§  Provide the Profile name and click on save.

§  Profile will be generated for the role.

§  Company code and activities are created and click on Save.

§  Click on Generate again to activate the profile created.

§  Then Press Enter and click on BACK.

§  Role and profile are generated and activated.

5.   Assignment of Role and Profile to the user.

§  Go To T-code SU01

§  Enter the user “ZTEST_AUTH” AND Click on change.

§  Go to Roles Tab and Then assign the Role created and press enter.

• Profile will be populated automatically for specific role.

§  In addition to this profile other profile can be added for other activities ( like creation for reports and execution Standard T-code SE38, etc.,)

§  Click on Save.

§  Authorization object is assigned to Role.

§  Role and profile are assigned to user.

§  Now write program to test the same.

 6.   Implement Authorization check in the program

Testing Authorization check

§  Current logon user does not have Authorization as role and profile is not assigned.

§  Execute the report with current user (Unauthorized user)

§  System throw message as shown below.

§  Login to system as user ZTEST_AUTH (user with authorization) and execute the report.

Cheers !! Authorization check is passed and Records are accessible J

Execute the report for another company code, authorization check should be fail, because only company code “0001” is assigned for the role

As excepted Authorization check fail !!

Here we have successfully finished creation and implementation of authorization object !!

At last let’s see code for Authorization check.

PARAMETERS: company type bukrs.
DATA: LT_LFB1 TYPE TABLE OF LFb1.

AUTHORITY-CHECK OBJECT 'ZAUC_OBJ1'
     ID 'ACTVT' FIELD '01'
     ID 'BUKRS' FIELD COMPANY.
IF sy-subrc = 0.
  SELECT * FROM lfb1 INTO TABLE LT_LFb1 where bukrs = company.
  if sy-subrc = 0.
    write:/ 'Records accessible'.
  endif.
ELSE.
  MESSAGE 'You are not authorized to execute this report' type 'I'.
ENDIF.

Another example:

 AUTHORITY-CHECK OBJECT 'ZAUC_OBJ1'
  ID 'ACTVT' DUMMY      use dummy to avoid using particular ID
  ID 'BUKRS' FIELD COMPANY
  IF sy-subrc <> 0.
  MESSAGE 'You are not authorized to execute this report' type 'I'.
  ENDIF.