Defining Authorization objects for custom database tables

By Divya Nayudu, TCS  

Authorization Objects  

Authorization Object, as the name itself suggests, is a method of restricting users to access any particular application created in the system. It could simply be: denying user for viewing confidential data on-screen or denying access to certain Transactions.

Taking this feature into consideration, SAP gets the flexibility to decide at runtime whether a particular user is supposed to access a given application or not.  

To get an in-depth picture on the Authorization and the way it works, we’ll look at an example which would demonstrate the use of Authorization Object and the way to use.

Example:

Requirement – We have a few Z-tables in our system that consists of confidential data, which cannot be accessed by all users. Only authorized persons can have access to the data. So, incase these tables are being used in any program, for display/write purpose, that program would be executed only by Authorized users. Please make sure to disable Table Entries, while creating tables, and not to create any Table Maintenance Generator also. Only this program would be used to perform read/write operations on the table.  

Resolution – We’ll see, step by step, what all needs to be done in order to fulfill the mentioned requirement.  

Giving authorization to access (read / write) into z-tables  

Steps:  

1.       To begin with Authorization Object, we’ll enter the Tcode: SU21. Here, we will create the following, in the order shown:  

                     I.      Object Class

                   II.      Authorization Object  

2.       On clicking the Object Class (as shown in the above screen shot), you’ll see the window shown below. Enter the Object class name, description & click on SAVE. You can also use available objects, to create your Authorization Object. Like incase of HR module, you can make use of Object Class “HR”, then you need not create one.

3.       Once you create Object class (E.g. Test), you’ll see a folder with that name in the list. Now your object class is ready. We will need this Object class to encapsulate the Authorization object that we will be creating. Click on the Object created, and then click on “Create - Authorization Object” (shown in the figure step 1). On clicking, you’ll see the below shown screen.

Give respective field name, in our case, PERNR (Employee Number), as shown in the above diagram. We will be keeping a check on the employee number, and see if the employee has authorization to access the report (made to view z-tables) or not.  

4.       Now, we need to create a Role, inside which we will attach our Authorization Object. Enter Transaction code: PFCG to create a role.  

Select the “Authorizations” tab. And Click on the icon next to “profile name”, as shown in the figure above. On the click of that icon, the system will generate a Profile name and a description for the same.  

5.       Click on the “Change authorization data” as shown in the figure below:  

You’ll see a new screen with the Role Name on top left. Here you will have to add your ‘Authorization Object’ that was created in SU21.

6.Click on the “Manually” button shown in the toolbar, to add the Authorization object, as shown in the figure below. Here you can add your Authorization object in the list and press enter.  

7. Now you need to add values (Employee numbers) in your object, for those who would be given authorization. In our case, we will put a “*” symbol (to allow the system to provide access to any employee, which is Assigned this role).

8. Press Save and then Generate the profile by clicking on ‘generate’ icon.  

9. Finally you come out of the screen pressing back button. And you will see the Authorizations tab with a Green symbol, meaning, Authorization object has been assigned and the role can be used.  

10. After these steps, if you want to give authorizations to say Employee No.: 96. Go to Transaction SU01, click on the Roles tab and assign our role name, in our case : test_role.  

This way, you can assign this role to all those users, who are supposed to be authorized to access the report (for data entry in the table).  

11. Finally, in the main program, which has been created, we need to write a small code, as shown below, which will decide if that employee is authorized or not:  

REPORT  ZCHECK_AUTH.

DATA : L_PERNR TYPE PERNR_D.
SELECT SINGLE PERNR INTO L_PERNR FROM PA0105
  WHERE UNAME EQ SY-UNAME AND USRTY EQ '0001' AND
  BEGDA LE SY-DATUM AND ENDDA GE SY-DATUM.

AUTHORITY-CHECK OBJECT 'Z_OBJECT1'
         ID 'PERNR' FIELD L_PERNR.

IF sy-subrc <> 0.
    MESSAGE 'No authorization' TYPE 'E'.
ELSE.
**** Here you can have the Query to view the table or perform any
**** action related to the Z-tables

    MESSAGE 'Congrats! You are authorized' TYPE 'I'.
ENDIF.  

If the user passes this authorization check, the return code SY-SUBRC is set to 0. Hence, users who are not assigned the Role, if they try to access this report; they’ll not be able to do the same.  

This way, you can provide authorizations on any Z- objects.