Professional Documents
Culture Documents
Authorization Checks
Authorization Checks
Authorization Checks
Authorization Checks
To ensure that a user has the appropriate authorizations when he or she performs an action, users are
subject to authorization checks.
The following actions are subject to authorization checks that are performed before the start of a program or
table maintenance and which the SAP applications cannot avoid:
The system checks in table TSTC whether the transaction code is valid and whether the system
administrator has locked the transaction.
The system then checks whether the user has authorization to start the transaction.
The SAP system performs the authorization checks every time a user starts a transaction from the
menu or by entering a command. Indirectly called transactions are not included in this authorization
check. For more complex transactions, which call other transactions, there are additional
authorization checks.
The authorization object S_TCODE (transaction start) contains the field TCD (transaction
code). The user must have an authorization with a value for the selected transaction code.
If you create a transaction in transaction SE93, you can assign an additional authorization
to this transaction. This is useful, if you want to be able to protect a transaction with a
separate authorization. If this is not the case, you should consider using other methods to
protect the transaction (such as AUTHORITY-CHECK at program level).
The system checks whether the transaction code is assigned an authorization object. If so, a check
is made that the user has authorization for this authorization object.
help.sap.com/saphelp_nw04/helpdata/en/52/67129f439b11d1896f0000e8322d00/content.htm
1/3
6/12/13
You have globally deactivated authorization objects for all transactions with transaction SU24
or transaction SU25.
So that the entries that you have made with transactions SU24 and SU25 become effective,
you must set the profile parameter AUTH/NO_CHECK_IN_SOME_CASES to Y (using
transaction RZ10).
All of the above checks must be successful so that the user can start the transaction. Otherwise, the
transaction is not called and the system displays an appropriate message.
After you have assigned reports to authorization classes or have changed assignments,
you may have to adjust objects in your authorization concept (such as roles (activity
groups), profiles, or user master records).
There are certain system reports that you cannot assign to any authorization class.
These include:
RSRZLLG0
Reports that are called using SUBMIT in a customer exit at logon (such as
SUSR0001, ZXUSRU01).
2/3
6/12/13
You can assign a table to authorization group Z000. (Use transaction SM30 for table
TDDAT) A user that wants to access this table must have authorization object S_TABU_DIS
in his or her profile with the value Z000 in the field DICBERCLS (authorization group for
ABAP Dictionary objects).
See also:
help.sap.com/saphelp_nw04/helpdata/en/52/67129f439b11d1896f0000e8322d00/content.htm
3/3