06-15-2006 4:30 AM
Hi all,
Can anyone tell me what is authorization group? I always come across this when I am inside pfcg and look into the authorization object.
I know that authorization object groups authorization fields together. And authorization is an instance of authorization object. But how does authorization group fit into this model?
I have read parts of the help manual that mention auth. group is used to manage Z tables, but they never mention the above relationship.
Thanks.
06-15-2006 4:52 AM
HI Jockey,
The access protection system must ensure that only authorized individuals have access to the system and to particular data. For achieving precise application security concerning authorization and to protect confidential data against unauthorized access it is very important to focus on the use of authorization groups.
The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. They usually occur in authorization objects together with an activity.
The table that contains all authorization objects is TOBJ.
The table that contains all activities is TACT.
The table that contains definition of all authorization groups is TBRG.
TBRG -- Contains all authorization groups and gives information about relation between authorization object and authorization group. The description of the authorization groups is defined in table TBRGT.
The field name for authorization group -- BRGRU -- is used to make additional restrictions on authorizations /e.g. for document maintenance/. In authorization objects and authorization checks, there are fields which are checked to verify user authorizations. Customizing objects are combined in authorization groups, and the authorization group is one of the two authorization fields, for example, in authorization object S_TABU_DIS which is in the object class BC_A (Basis - Administration). This object is for displaying or maintaining tables. It controls access using the standard table maintenance tool (transaction SM31), enhanced table maintenance (SM30) or the Data Browser (SE16), including access in Customizing.
Authorization object S_TABU_DIS has the following fields: DICBERCLS - Authorization group, maximum field length is four characters; and ACTVT - Activity (02: Add, change or delete table entries, 03: Only display table contents).
Generally, SAP standard tables are assigned to authorization groups. These assignments can be changed. You can then assign tables manually to a suitable authorization group. To do this, start Transaction SM30 for maintenance view V_DDAT, and create an entry for each of these tables. In V_DDAT is stored the assignment of Tables/Views to Authorization Groups. V_DDAT is cross-client; therefore, it can be viewed and used in all clients.
Note: If you don't make a selection, all tables maintained in Customizing transactions are assigned to authorization groups.
Check these links too..
http://help.sap.com/saphelp_crm50/helpdata/en/52/671285439b11d1896f0000e8322d00/frameset.htm
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67129f439b11d1896f0000e8322d00/frameset.htm
http://www.sap4.com/contentid-39.html
Thanks,
Susmitha
Dont forget to reward points for useful answers.
Message was edited by: Susmitha Thomas
06-15-2006 4:40 AM
Hi Jockey,
Go through these links you will get a good idea about the authorization concept:
<b>su21 is used for maintenance of authority objects:</b>
http://www.sap-img.com/basis/useful-sap-system-administration-transactions.htm
http://web.mit.edu/ist/org/admincomputing/dev/abap_review_check_list.htm
Thanks & Regards,
YJR.
06-15-2006 4:55 AM
Hi,
Per SAP help..An authorization group contains tables and views with the same security requirements.In the Table maintenance dialog, you maintain the same gorup for tables that require similar authorizations.To activate the authorization, you must determine an activity for the authorization group in the authorizaton objects S_TABU_DIS & may be S_TABU_CLI. The link between the Auth group & auth Obj is in table TBRG.
Hope this gives you an idea..
Regards,
Suresh Datti
06-15-2006 4:50 AM
Hi Jockey,
Please check this links.
http://www.sappoint.com/basis/authtcodes.pdf
http://www.sapgenie.com/basis/Security%20upgrade%20white%20paper.htm
Hope this will help.
Regards,
Ferry Lianto
06-15-2006 4:52 AM
HI Jockey,
The access protection system must ensure that only authorized individuals have access to the system and to particular data. For achieving precise application security concerning authorization and to protect confidential data against unauthorized access it is very important to focus on the use of authorization groups.
The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. They usually occur in authorization objects together with an activity.
The table that contains all authorization objects is TOBJ.
The table that contains all activities is TACT.
The table that contains definition of all authorization groups is TBRG.
TBRG -- Contains all authorization groups and gives information about relation between authorization object and authorization group. The description of the authorization groups is defined in table TBRGT.
The field name for authorization group -- BRGRU -- is used to make additional restrictions on authorizations /e.g. for document maintenance/. In authorization objects and authorization checks, there are fields which are checked to verify user authorizations. Customizing objects are combined in authorization groups, and the authorization group is one of the two authorization fields, for example, in authorization object S_TABU_DIS which is in the object class BC_A (Basis - Administration). This object is for displaying or maintaining tables. It controls access using the standard table maintenance tool (transaction SM31), enhanced table maintenance (SM30) or the Data Browser (SE16), including access in Customizing.
Authorization object S_TABU_DIS has the following fields: DICBERCLS - Authorization group, maximum field length is four characters; and ACTVT - Activity (02: Add, change or delete table entries, 03: Only display table contents).
Generally, SAP standard tables are assigned to authorization groups. These assignments can be changed. You can then assign tables manually to a suitable authorization group. To do this, start Transaction SM30 for maintenance view V_DDAT, and create an entry for each of these tables. In V_DDAT is stored the assignment of Tables/Views to Authorization Groups. V_DDAT is cross-client; therefore, it can be viewed and used in all clients.
Note: If you don't make a selection, all tables maintained in Customizing transactions are assigned to authorization groups.
Check these links too..
http://help.sap.com/saphelp_crm50/helpdata/en/52/671285439b11d1896f0000e8322d00/frameset.htm
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67129f439b11d1896f0000e8322d00/frameset.htm
http://www.sap4.com/contentid-39.html
Thanks,
Susmitha
Dont forget to reward points for useful answers.
Message was edited by: Susmitha Thomas
06-15-2006 4:59 AM
Hi Jockey,
<b>1</b>.
Have a look at this path.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/6712ac439b11d1896f0000e8322d00/content.htm
<b>Thanks,
Venkat.O</b>
06-15-2006 5:42 AM
Hi,
Refer this link http://help.sap.com/saphelp_nw04s/helpdata/en/52/67168c439b11d1896f0000e8322d00/frameset.htm.
In the above link start reading from the node SAP Authorization Concept.
Regs,
Venkat Ramanan
Message was edited by: Venkat Ramanan Natarajan
06-15-2006 5:49 AM
HI
GOOD
You can also assign authorization groups to tables to avoid users accessing tables using general access tools (such as transaction SE16). A user requires not only authorization to execute the tool, but must also have authorization to be permitted to access tables with the relevant group assignments. For this case, we deliver tables with predefined assignments to authorization groups. The assignments are defined in table TDDAT; the checked authorization object is S_TABU_DIS.
You can assign a table to authorization group Z000. (Use transaction SM30 for table TDDAT) A user that wants to access this table must have authorization object S_TABU_DIS in his or her profile with the value Z000 in the field DICBERCLS (authorization group for ABAP Dictionary objects).
GO THROUGH THESE LINKS
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67129f439b11d1896f0000e8322d00/content.htm
THANKS
MRUTYUN