Skip to Content
avatar image
Former Member

Authorization group

Hi guys,

Just a quick question : I have been asked the following :

Could you please protect the following table ZXXXX with authorization

group FI.

Can anyone can tell me where to do it?

Sorry I'm a newbie....

Thanks in advance,



Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • avatar image
    Former Member
    Oct 10, 2007 at 11:52 AM


    Create an Authorization Object and assign it

    see the doc on authorization concept

    In general different users will be given different authorizations based on their role in the orgn.

    We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.

    USe SUIM and SU21 T codes for this.

    Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.

    If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.

    This means you have to allocate an authorization object in the definition of the transaction.

    For example:

    program an AUTHORITY-CHECK.

    AUTHORITY-CHECK OBJECT <authorization object>

    ID <authority field 1> FIELD <field value 1>.

    ID <authority field 2> FIELD <field value 2>.


    ID <authority-field n> FIELD <field value n>.

    The OBJECT parameter specifies the authorization object.

    The ID parameter specifies an authorization field (in the authorization object).

    The FIELD parameter specifies a value for the authorization field.

    The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.

    To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.

    Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.

    You program the authorization check using the ABAP statement AUTHORITY-CHECK.


    ID 'ACTVT' FIELD '02'


    IF SY-SUBRC <> 0.

    MESSAGE E...


    'S_TRVL_BKS' is a auth. object

    ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.

    The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.

    This Authorization concept is somewhat linked with BASIS people.

    As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.

    Take the help of the basis Guy and create and use.

    Reward if usefull

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 10, 2007 at 10:38 PM

    Hello Murai

    Probably the solution is much simpler. Assuming that you have to protect your Z-table from unauthorized changes (update, insert, delete) you simply assign the maintenance view for your table to the required authorization group.

    I will give you an example for the maintenance view <b>V_T001W</b> (the same is true for table maintenance without a separate view):

    1. Display view V_T001W in transaction SE11.

    2. Choose menu <i>Utilities -> Table Maintenance Generator</i>

    There you will see in the field group <i>Technical Details </i> the authorization group assigned to this view. If you see the value '&NC&' for your Z-table this means there is no auth group assigned.



    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 11, 2007 at 10:08 AM


    We can do the authurisation check for the table z***** .

    Checking Assignment of Authorization Groups to Tables

    You can also assign authorization groups to tables to avoid users accessing tables using general access tools (such as transaction SE16). A user requires not only authorization to execute the tool, but must also have authorization to be permitted to access tables with the relevant group assignments. For this case, we deliver tables with predefined assignments to authorization groups. The assignments are defined in table TDDAT; the checked authorization object is S_TABU_DIS.

    You can assign a table to authorization group Z000. (Use transaction SM30 for table TDDAT) A user that wants to access this table must have authorization object S_TABU_DIS in his or her profile with the value Z000 in the field DICBERCLS (authorization group for ABAP Dictionary objects).


    Authorization object that enables authorization checks for displaying or editing table content. This object controls access though standard table maintenance functions (transaction SM31), extended table maintenance functions (transaction SM30), or the Data Browser. This includes access through the Customizing system.


    With this authorization object you can, for example, restrict access just to data in table entries defined in this object; even if the user who wants to access the data has authorization for transaction SE16 (and therefore for all ABAP Dictionary objects). In this way, you can prevent system administrators from accessing application data. Once you implement this authorization object, only those table entries can be modified or displayed that have been given the appropriate authorization in S_TABU_DIS.

    Structure The object consists of the following fields:

    Authorization Field  Long Text
    DICBERCLS -> Authorization group
    ACTVT  -> Activity

    Further Information About the Fields

    · The DICBERCLS field contains the authorization for tables according to the authorization classes in table TDDAT. Here, you specify the names of the permitted classes. Table classes are defined in the table TBRG.

    · The ACTVT field contains the permitted operations. It can take the following values:

    02:Change (add, modify, or delete table entries)
    03: Display table content


    If you want to protect cross-client tables, you can add the authorization object S_TABU_CLI to the general table maintenance authorization with S_TABU_DIS.

    If you want to implement more detailed table maintenance authorizations (for example, if you want to protect country-specific data records in tables with data from more than one country (such as T510A)), then you can use the authorization object S_TABU_LIN.

    Reward points if it is usefull .....


    Add comment
    10|10000 characters needed characters exceeded