Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
cancel
Showing results for 
Search instead for 
Did you mean: 
Former Member

Many cases have been raised from customers in relation to authorization
problems. Hence it is quite necessary and helpful to have an idea on what is authorization
and how to use it appropriately. In this blog, I would like to talk something
about authorization based on my own understanding using specific examples of
CO-OM.

What is authorization?

Authorization is aimed to decide whether a user has the
rights to create/change/display data via a certain transaction, or whether a
user can get accessed to the data on one or several specific account assigned
objects (Cost center, Order, WBS etc.). It is controlled by Authorization Objects
(AO).

You can view all the AOs that are possibly being checked when
running a certain transaction via SU24.

You can also make a trace via ST01 to see which AOs are exactly being checked when running KSB1 at a certain time.

ST01->Authorization check->Trace on

KSB1

Execute(F8)

Back to ST01->Trace off->Analysis(F2)->Start reporting(F8)

Double click the Object you want to check and then press Go to ABAP Position (F5), you will get the source code of this object.

Comparing the different outcome between SU24 and ST01 may bring you closer to the root cause of the problems in some cases.

How Authorization works?

Authorizations are assigned to a specific role. Create a role via transaction PFCG.

Display Authorization Data and you will get all the authorization information for role Z_CCA_ERIC0.

Go to SU01

Assign role Z_CCA_ERIC0 to user I307133 and user will have all the authorizations included in role Z_CCA_ERIC0.

How to use Authorizations?

Scenario:

User is not allowed to create/change cost centers, but is allowed to
display them.

  1. Create role Z_CCA_ERIC4
  2. Go to PFCG->change
    role->authorizations-> Change Authorization Data
  3. Change “All activities” to “Display” only

Generate.

    4. Go to SU01, assign Z_CCA_ERIC4 to user I307133

 

Save.

Now let’s see whether it works or not.

Go to KS03 to display cost center 1000181

Then Go to KS02 to change cost center 1000181.

System displays no authorization error.

Go to SU53

Now you can see from the screen above that the authorization we set has prevented user from changing cost center 1000181. System works as we
expected.

3 Comments