Skip to Content

How to check if an user has a required authorization role in ABAP?

I want to add an authorization check prior execution of function module. I need to ensure that the user has a specific role to be able to execute the function module.

Currently, I have two possible approaches:

  1. Create a TCODE for the function module and check an access to the TCODE with S_TCODE:
IF sy-subrc <> 0.
  WRITE: 'Access denied'.
  1. Write an SQL-query and get the data directly from the AGR_USERS table.

Both of these approaches will do the job, but it looks like more work around rather then a best practice.

My question:
Is there any common approach to check if a user is allowed to execute specific function module?

Add a comment
10|10000 characters needed characters exceeded

Related questions

4 Answers

  • Best Answer
    Posted on Mar 27, 2020 at 06:10 PM

    Dear Mike

    This may be helpful to you S_RFC object, assigning ACTVT to 16 will allows you to execute the RFC.

    Check this link - if it gives you details of what you are looking for.



    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Mar 27, 2020 at 05:32 PM

    I'd go for AUTHORITY-CHECK. That's the standard way to check if a user has required authorization.

    Notice that the authorization can result from different roles. Your taks as a developer is not to check for role but for authorizations. Roles can be maintained and named in many different ways depending on the company security guidelines.

    Best regards

    Dominik Tylczynski

    Add a comment
    10|10000 characters needed characters exceeded

    • Mike B. You're right, SU53 is only for failed authorizations. Use SU56 to see all user authorizations -> those concerning S_RFC.Authority-check is to check if the user has an authorization equal or wider than what is checked. In your case, for S_RFC, your user is already authorized to all function groups, or maybe all function groups whose name start with U or UN or etc., even for function groups which don't exist yet.
  • Posted on Mar 28, 2020 at 10:02 AM

    Hi Mike B.

    You should use a authorization object(s) that closely match(es) the business meaning of your function module. I'd recommend to use here SAP provided authorization object(s) if possible. E.g. if your function deals with material documents, use the authorization objects related to MIGO transaction.

    If your function is about some brand new business functionality and you can't find any relevant SAP provided authorization object, just create a new one that suits your need.

    BR, HTH

    Dominik Tylczynski

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Aug 04, 2020 at 10:34 AM


    Please check using SUIM tcode if user is having roles or tcode access as per the requiremnt.

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.