✒️ABAP Los chequeos de autorización
ABAP Los chequeos de autorización
Authorization Checks
Authorization checks in SAP are like security guards for important data, making sure only the right people access it. These checks, known as Authority checks, come in handy when creating new transactions and wanting to limit who can use them. To set up these restrictions, we use authorization checks.
SAP already has some pre-made authorization setups, but you can also create new ones. The SU21 transaction is where you manage these authorizations. They are sorted into groups called classes, neatly organized on the left side of the SU21 screen.
Inside these classes, there are different authorization options. You can control access to specific fields in tables. Clicking 'Display Authorization Objects' shows what you can do with each authorization, like adding, generating, modifying, and viewing. Remember, each object has its own set of choices.
Assigning an authorization to a specific SAP user happens through a role in the SU01 transaction. Think of it like giving someone a specific job role that comes with certain permissions. Authorization fields, also known as scopes, must exist or be created first. To find and manage them, go to: "Environment" -> "Authorization Fields" -> "Search" -> "Select and Display"
For a quick check on authorizations, the SU20 transaction is your go-to place. Here, you can easily create, change, delete, and see authorization fields directly.
In ABAP, authorization checks are implemented using the AUTHORITY-CHECK statement. This statement acts as a gatekeeper, checking if a SAP user has permission to access a specific thing. Using this statement, developers make sure their programs follow strict security rules.
AUTHORITY-CHECK OBJECT 'Object_Name'
ID 'FIELD1' FIELD '___________'
ID 'FIELD2' FIELD '___________'
ID 'FIELDN' FIELD '___________'.
IF sy-subrc EQ 0.
"User has authorization.
ELSEIF sy-subrc NE 0.
"User does not have authorization.
ENDIF.
Always evaluate the content of the variable SY-SUBRC.
Implementation Steps
- Create an ABAP program (SE38) and select Model -> Check AUTHORITY-CHECK -> Enter the object name you want to implement -> Check.
- This generates a template for the object -> Complete the code by creating the object parameter in the selection template, adding the parameter usage in the authorization object, and completing the activity with '03'.
PARAMETERS p_airline TYPE sflight-carrid.
START-OF-SELECTION.
AUTHORITY-CHECK OBJECT 'S_AIRLINE'
ID 'CARRID' FIELD 'P_AIRLINE'
ID 'ACTVT' FIELD '03'.
IF sy-subrc EQ 0.
WRITE:/ 'User has authorization'.
ELSEIF sy-subrc NE 0.
WRITE:/ 'User does not have authorization'.
ENDIF.
Three function modules allow executing a transaction bypassing its authorization checks:
- Using the function TRANSACTION_CALL_VIA_RFC with the transaction to execute in the CALL parameter.
- Using the function C160_TRANSACTION_CALL with the transaction to execute in the I_THECALL parameter.
- Using the function RS_HDSYI_CALL_TC_VARIEN with THE CALL set to the transaction to execute and unchecking AUTHORITY-CHECK.
Step-by-Step Guide to Create a Class and an Authorization Object
- Click "Create" on the SU21 toolbar and select the option Object Class to create a new authorization object class.
- Complete the name and description in the class creation window and save it.
- Finally, create the class.
To create an authorization object within the class
- Right-click on the class and choose Create Authorization Object.
- Complete the object name, a description, authorization fields, and save it.
- SU21: Manage authorizations (Classes/Object)
- SU01: Assigning an authorization to a specific SAP user
- SU20: Quick check on authorizations
- SU53: Authorization logs
- PFCG: role management
- SUIM: check roles over user/classes/objects
 
 
 
Sobre el autor
Publicación académica de Jaime Eduardo Gomez Arango, en su ámbito de estudios para la Carrera Consultor ABAP.
Jaime Eduardo Gomez Arango
Profesión: Ingeniero de Sistemas y Computaci?n - Espa?a - Legajo: SW34C
✒️Autor de: 149 Publicaciones Académicas
🎓Egresado de los módulos:
- Carrera Consultor en SAP Fiori
- Carrera Consultor ABAP Nivel Avanzado
- Carrera Consultor ABAP Nivel Inicial
Disponibilidad Laboral: FullTime
Presentación:
Ingeniero de sistemas y computaci?n con 8 a?os de experiencia el desarrollo frontend & backend (react/node) y en cloud (aws), actualmente desarrollando habilidades en sap btp, ui5, abap y fiori.
Certificación Académica de Jaime Gomez