Skip to Content
avatar image
Former Member

authority-check read all values


Is it possible to read all values from authority object assigned to role, instead of call authority-check for certain value ? I have a auth obj named 'kostl' with values: 1002, 1003, 1004 and I need to extract all this values from abap instead of checking one by one if it's on authorized list. help.


Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • avatar image
    Former Member
    Jul 27, 2007 at 07:42 AM


    See the concept of Authorization

    In general different users will be given different authorizations based on their role in the orgn.

    We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.

    USe SUIM and SU21 T codes for this.

    Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.

    If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.

    This means you have to allocate an authorization object in the definition of the transaction.

    For example:

    program an AUTHORITY-CHECK.

    AUTHORITY-CHECK OBJECT <authorization object>

    ID <authority field 1> FIELD <field value 1>.

    ID <authority field 2> FIELD <field value 2>.


    ID <authority-field n> FIELD <field value n>.

    The OBJECT parameter specifies the authorization object.

    The ID parameter specifies an authorization field (in the authorization object).

    The FIELD parameter specifies a value for the authorization field.

    The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.

    To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.

    Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.

    You program the authorization check using the ABAP statement AUTHORITY-CHECK.


    ID 'ACTVT' FIELD '02'


    IF SY-SUBRC <> 0.

    MESSAGE E...


    'S_TRVL_BKS' is a auth. object

    ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.

    The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.

    This Authorization concept is somewhat linked with BASIS people.

    As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.

    Take the help of the basis Guy and create and use.

    <b>Reward points for useful Answers</b>



    Add comment
    10|10000 characters needed characters exceeded

  • Jun 15, 2012 at 05:45 AM

    Hi MK,

    If you know the authorisation object, you can use FM SUSR_USER_AUTH_FOR_OBJ_GET.

    Moderator Message: Please check the date of the OP.

    Message was edited by: Suhas Saha

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jul 27, 2007 at 07:33 AM

    do this check one after the other

    authority-check object 'z_best_lfa' id 'KOSTL' field' 1002'.
    if sy-subrc = 0.
    authority-check object 'z_best_lfa' id 'KOSTL' field' 1003'.
    if sy-subrc = 0.
    authority-check object 'z_best_lfa' id 'KOSTL' field' 1004'.
    if sy-subrc = 0.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jul 27, 2007 at 07:50 AM

    the problem is that I don't know any values that are in that filed but I would like to know it to build sql select with ranges of all values from this field.

    I used st05 to trace role maintence transaction and I figured out I can use:

    select low from AGR_1251 where agr_name=<role_name> and field=<field_name>

    is it any reason to don't do it this way ?

    Add comment
    10|10000 characters needed characters exceeded