Authorization checks are a means of protecting functions or objects in an AS ABAP. The programmer of the function determines where and how these checks are made, while the user administrator determines who can execute a function or access an object.
The following terms are central to the SAP authorization concept:
Smallest unit in an authorization object. An authorization field either represents data, such as a key field in a database table, or activities, such as Read or Create. Activities are specified as identifiers, which are stored in the database table TACT and the customer-specific table TACTZ.
Maintenance using transaction SU20.
Repository object that forms the basis of authorizations. An authorization object comprises up to 10 authorization fields. The combination of authorization fields, which represent data and activities, is used for authorization assignment and to check authorizations. Authorization objects are grouped together in authorization classes.
Maintenance using transaction SU21.
Enter in the user master record or part of an authorization profile. An authorization comprises complete or generic values for the authorization fields in an authorization object. The combination determines the activities with which a user can access certain data.
Generation from transaction PFCG (profile generator for role maintenance). Display using transaction SU03.
Grouping of several individual authorizations. Several authorization profiles can be assigned to an authorization. Authorizations are assigned to users by specifying authorization profiles in the user master record.
Generation from transaction PFCG (profile generator for role maintenance). Display using transaction SU02.
User Master Record
The existence of a user master record is a prerequisite for logon to an AS ABAP. The master record determines which actions users are allowed to execute and which authorizations they are assigned. Default settings, such as the format in which decimal places are displayed in lists, are also stored in the user master record. An authorization profile can be assigned to users as often as you wish.
Maintenance in transaction SU01.
Check to determine whether the current program user has a certain authorization. The check compares a value with the corresponding entries in each authorization field in an authorization object in the user master record. Check indicators control whether an authorization check is performed.
The ABAP statement for this is
Creation of authorizations in the user master record.
Composite profiles were used (before the profile generator was introduced) in manual profile maintenance (transaction SU02) to structure the authorization structure, but are not necessarily required. An authorization profile can be assigned to composite profiles as often as you wish.