Tuesday, November 20, 2007

Programming Authorization Checks

programmer wants to make an authorization check before bookings for business customers can be changed.

To do this, the programmer should create authorization fields (ACTVT and CUSTTYPE) and assign for each field defined the value to be checked (02, B). Authorization fields are created under Tools ® ABAP Workbench ® Development ® Other tools ® Authorization objects ® Fields (transaction SU20).

Programmers should also create an authorization object (here S_TRVL_BKS) and assign the authorization object to an object class.

Authorization fields are created under Tools ® ABAP Workbench ® Development ® Other tools ® Authorization objects ® Objects (transaction SU21). Authorization objects can also be created in the Object Navigator (transaction SE80).

You program the authorization check using the ABAP statement AUTHORITY-CHECK.

AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.

IF SY-SUBRC <> 0.
MESSAGE E...

ENDIF.

The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.

When this happens, the system checks the authorization profiles in the user’s master record for the appropriate authorization object (S_TRVL_BKS). If the authorization is found and it contains the correct values, the check is successful.

The system administrator has defined the following authorizations for the authorization object S_TRVL_BKS:

· S_TRVL_CUS1 with the following values:

* for customer type ( CUSTTYPE field) and

03 for activity (field: ACTVT).

Users with this authorization can display all customer bookings (activity 03 = display).

· S_TRVL_CUS2 with the following values:

B for customer type ( CUSTTYPE) and

02 for activity (ACTVT).

Users with this authorization can change all business customers (activity 02 = change).

When assigning profiles, the system administrator gave different authorizations to different users.

User Miller has been assigned a profile containing both of these authorizations (S_TRVL_CUS1 and S_TRVL_CUS2). Miller can therefore change bookings for business customers.

User Meyers on the other hand, is only authorized to display the records (S_TRVL_CUS1) and therefore cannot change bookings.

No comments:

Blog Archive