Scribd Logo
Upload

Welcome to Scribd!

  • How To Create A New Authorization Object in SAP

    Uploaded by

    Biswajeet1991
    31 views7 pages
    Auth object creation in sap

    Original Title

    how to Create a New Authorization Object in SAP

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Auth object creation in sap

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    31 views7 pages

    How To Create A New Authorization Object in SAP

    Uploaded by

    Biswajeet1991
    Auth object creation in sap

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    How To Create A New Authorization Object in SAP?

    sapuniversity.eu /how-to-create-a-new-authorization-object-in-sap/
    In this post I am going to show you the exact steps used in order to create a new authorization object in
    any SAP system such as SAP ECC & SAP CRM.
    In certain contexts, you may need several authorizations to perform an operation in the SAP system.
    The resulting contexts can be very complex. The SAP authorization concept has been realized on the
    basis of authorization objects to provide an understandable and easy-to-follow procedure. Several
    system elements that are to be protected form an authorization object.
    Authorization objects enable complex checks of an authorization that allows a user to carry out an
    action. An authorization object groups up to ten authorization fields that are checked in an AND
    relationship.
    For an authorization check to be successful, all field values of the authorization object must be
    maintained in the user master data.
    Authorization objects are assigned to object classes for purposes of clarity. The authorization objects
    for mySAP CRM belong to the CRM (Customer Relationship Management) object class.
    You can display or edit the authorization objects and their fields using transaction SU21. You can also
    use this transaction to create new object classes and authorization objects.
    The authorization objects of the CRM (CRM Component) object class have, as with all SAP
    authorization objects, up to ten fields, which are read by the system during an authorization, check.
    Example: CRM_ORD_PR (Authorization Object CRM Order - Business Transaction Type)

    As you can see in the above screenshot, this particular authorization object consists out of two
    Authorization fields, being PR_TYPE (process type or Transaction type) and ACTVT (allowed
    activity).

    1. Creating a new SAP Authorization Object


    In order to create an authorization object, launch the transaction code SU21.

    Within this transaction code you can actually create two important things.
    Create a new authorization object class
    Create a new authorization object

    What you see in the above screenshot (the folders) are actually the authorization object classes
    available within a SAP CRM 7.0 system.
    Now to keep it simple we will create a new authorization object in the existing authorization object class
    CRM.
    In order to create a new authorization object within that particular class, I select the class, and next do
    a right-mouse click, which shows me the following menu:

    Alternatively you can select the relevant


    authorization class, and from the menu select the
    option to create the new authorization object:

    I prefer the first option.

    In the pop-up that showed up I entered:


    a name for my new authorization
    object: Z_BW_LIST
    a useful description for my object
    the relevant authorization field(s) - I
    only used an existing authorization
    field for this purpose, called ACTVT
    (allowed activity)
    Next I pressed the button permitted
    activities. By doing this, the system will
    first ask you to select a relevant package.
    Select an appropriate package and save.
    In the list of available activities for the
    authorization field ACTVT I only selected
    change and display, as this is what I want
    to be checked for my scenario.
    You will also need a Workbench-request to
    save your new authorization object in. I
    selected an existing WB-request for this
    purpose.

    Once done, it will look like this.

    I also suggest you maintain some documentation for any new authorization object you create. You can
    do this using the button Create Object documentation. Here you should probably explain for which
    program, transaction code or BSP application (component/view) you use this authorization object.
    Furthermore explain how the object is being checked and what it will allow a user to perform once he
    gets this authorization.
    A last (logical) step would be to regenerate the SAP_ALL Profile - just so that SAP_ALL really stays a
    SAP_ALL profile.
    Some comments to be added from the real experts on SAP authorizations (thanks to some sapfans
    authorization & abap gurus such as thx4allthefish; Rich and Vlozano )...
    This approach does not work for SAP BI
    There are for sure additional steps that are not mentioned or explained in this particular post
    such as:

    updating SU24/SU22 to ensure all USOB* tables are correct up-to-date


    having a new authorization object is one thing, but you'll also need to assure it is being
    checked in your abap coding
    In future posts I will add, I'll try to explain things like:
    * importance of SU24/SU25
    * creating PFCG authorization roles such as single & composite roles & the basics of master and
    derived roles.
    I'll probably try to get some review and proofreading from the people above who actually are
    domain experts on SAP authorizations.

    Davy Pelssers
    The SAP University Team

    You might also like