Defining Authorization objects for custom database tables

By Divya Nayudu, TCS

Authorization Objects Authorization Object, as the name itself suggests, is a method of restricting users to access any particular application created in the system. It could simply be: denying user for viewing confidential data on-screen or denying access to certain Transactions. Taking this feature into consideration, SAP gets the flexibility to decide at runtime whether a particular user is supposed to access a given application or not. To get an in-depth picture on the Authorization and the way it works, well look at an example which would demonstrate the use of Authorization Object and the way to use. Example: Requirement We have a few Z-tables in our system that consists of confidential data, which cannot be accessed by all users. Only authorized persons can have access to the data. So, incase these tables are being used in any program, for display/write purpose, that program would be executed only by Authorized users. Please make sure to disable Table Entries, while creating tables, and not to create any Table Maintenance Generator also. Only this program would be used to perform read/write operations on the table. Resolution Well see, step by step, what all needs to be done in order to fulfill the mentioned requirement. Giving authorization to access (read / write) into z-tables Steps: 1. To begin with Authorization Object, well enter the Tcode: SU21. Here, we will create the following, in the order shown: I. Object Class II. Authorization Object

2.

On clicking the Object Class (as shown in the above screen shot), youll see the window shown below. Enter the Object class name, description & click on SAVE. You can also use available objects, to create your Authorization Object. Like incase of HR module, you can make use of Object Class HR, then you need not create one.

3.

Once you create Object class (E.g. Test), youll see a folder with that name in the list. Now your object class is ready. We will need this Object class to encapsulate the Authorization object that we will be creating. Click on the Object created, and then click on Create Authorization Object (shown in the figure step 1). On clicking, youll see the below shown

screen.

Give respective field name, in our case, PERNR (Employee Number), as shown in the above diagram. We will be keeping a check on the employee number, and see if the employee has authorization to access the report (made to view z-tables) or not. 4. Now, we need to create a Role, inside which we will attach our Authorization Object. Enter Transaction code: PFCG to create a role.

Select the Authorizations tab. And Click on the icon next to profile name, as shown in the figure above. On the click of that icon, the system will generate a Profile name and a description for the same. 5. Click on the Change authorization data as shown in the figure below:

Youll see a new screen with the Role Name on top left. Here you will have to add your Authorization Object that was created in SU21. 6.Click on the Manually button shown in the toolbar, to add the Authorization object, as shown in the figure below. Here you can add your Authorization object in the list and press enter.

7. Now you need to add values (Employee numbers) in your object, for those who would be given authorization. In our case, we will put a * symbol (to allow the system to provide access to any employee, which is Assigned this role).

8. Press Save and then Generate the profile by clicking on generate icon.

9. Finally you come out of the screen pressing back button. And you will see the Authorizations tab with a Green symbol, meaning, Authorization object has been assigned and the role can be used.

10. After these steps, if you want to give authorizations to say Employee No.: 96. Go to Transaction SU01, click on the Roles tab and assign our role name, in our case : test_role.

This way, you can assign this role to all those users, who are supposed to be authorized to access the report (for data entry in the table). 11. Finally, in the main program, which has been created, we need to write a small code, as shown below, which will decide if that employee is authorized or not: REPORT ZCHECK_AUTH. DATA : L_PERNR TYPE PERNR_D. SELECT SINGLE PERNR INTO L_PERNR FROM PA0105 WHERE UNAME EQ SY-UNAME AND USRTY EQ '0001' AND BEGDA LE SY-DATUM AND ENDDA GE SY-DATUM. AUTHORITY-CHECK OBJECT 'Z_OBJECT1' ID 'PERNR' FIELD L_PERNR. IF sy-subrc <> 0. MESSAGE 'No authorization' TYPE 'E'. ELSE.

**** Here you can have the Query to view the table or perform any **** action related to the Z-tables MESSAGE 'Congrats! You are authorized' TYPE 'I'. ENDIF. If the user passes this authorization check, the return code SY-SUBRC is set to 0. Hence, users who are not assigned the Role, if they try to access this report; theyll not be able to do the same.

This way, you can provide authorizations on any Z- objects.