Professional Documents
Culture Documents
sapuniversity.eu /how-to-create-a-new-authorization-object-in-sap/
In this post I am going to show you the exact steps used in order to create a new authorization object in
any SAP system such as SAP ECC & SAP CRM.
In certain contexts, you may need several authorizations to perform an operation in the SAP system.
The resulting contexts can be very complex. The SAP authorization concept has been realized on the
basis of authorization objects to provide an understandable and easy-to-follow procedure. Several
system elements that are to be protected form an authorization object.
Authorization objects enable complex checks of an authorization that allows a user to carry out an
action. An authorization object groups up to ten authorization fields that are checked in an AND
relationship.
For an authorization check to be successful, all field values of the authorization object must be
maintained in the user master data.
Authorization objects are assigned to object classes for purposes of clarity. The authorization objects
for mySAP CRM belong to the CRM (Customer Relationship Management) object class.
You can display or edit the authorization objects and their fields using transaction SU21. You can also
use this transaction to create new object classes and authorization objects.
The authorization objects of the CRM (CRM Component) object class have, as with all SAP
authorization objects, up to ten fields, which are read by the system during an authorization, check.
Example: CRM_ORD_PR (Authorization Object CRM Order - Business Transaction Type)
As you can see in the above screenshot, this particular authorization object consists out of two
Authorization fields, being PR_TYPE (process type or Transaction type) and ACTVT (allowed
activity).
Within this transaction code you can actually create two important things.
Create a new authorization object class
Create a new authorization object
What you see in the above screenshot (the folders) are actually the authorization object classes
available within a SAP CRM 7.0 system.
Now to keep it simple we will create a new authorization object in the existing authorization object class
CRM.
In order to create a new authorization object within that particular class, I select the class, and next do
a right-mouse click, which shows me the following menu:
I also suggest you maintain some documentation for any new authorization object you create. You can
do this using the button Create Object documentation. Here you should probably explain for which
program, transaction code or BSP application (component/view) you use this authorization object.
Furthermore explain how the object is being checked and what it will allow a user to perform once he
gets this authorization.
A last (logical) step would be to regenerate the SAP_ALL Profile - just so that SAP_ALL really stays a
SAP_ALL profile.
Some comments to be added from the real experts on SAP authorizations (thanks to some sapfans
authorization & abap gurus such as thx4allthefish; Rich and Vlozano )...
This approach does not work for SAP BI
There are for sure additional steps that are not mentioned or explained in this particular post
such as:
Davy Pelssers
The SAP University Team