Hello..
Access control in SAP is composed of several concepts:
1. Program code that calls an authorization check using the authority-check statement. This will look something like:
authority-check object id field
2. Authorization fields (corresponding to the in the above code) that define a scope of possible values.
Authorization object is created in tcode SU21. And authorization fields are created in SU20.
For each authorization object, we create a number of fields.
Examples of authorization fields would be:
Autho
ACTIVITY: defines the type of activity the user is doing with the data. Possible values are 'DISPLAY', 'MODIFY', 'DELETE', etc.
COMPANY_CODE: possible values are any single value, or any range of values, or any combination thereof (such as '0438' and '0600' thru '1100')
Authorization objects that define a group of fields. For example, an authorization object called 'CO_MDATA', containing our above fields ACTIVITY and COMPANY_CODE, might used to control access to the company master data tables.
Authorizations, each of which belong to exactly one authorization object, that define authorization values (within the scopes defined by the authorization objects) to be granted to users. Note that an authorization is different from an authorization object!! Extending our previous examples, we might have an authorization, belonging to the authorization object 'CO_MDATA', called 'CO_MDATA_ALL', that grants all access to all company master data. Then 'CO_MDATA_ALL' would have the following values:
FIELD VALUE
ACTIVITY *
COMPANY_CODE *
Profiles, each of which may contain several authorizations or profiles. A simple profile contains a group of authorizations. A composite profile contains a group of profiles (simple or composite). [Profiles can be conceptualized as forming the structure of a tree, in which end nodes (leaves) are authorizations, and all other nodes are profiles. Simple profiles are nodes whose children are all end nodes, and composite profiles are nodes, other than end nodes, who have no end nodes for children.]
This is done using transaction PFCG. And this profile name is maintained in the user record for each user.
Profiles are designed to define set or one or more functions or positions. For example, a functional profile might define all the authorizations that are required for doing a goods receipt, or for making a payment in the AP module. A position profile, on the other hand, might define all of the authorizations that are granted to an accountant, or to a warehouse supervisor. Often, a position profile is a composite profile consisting of several functional profiles.
Users, to whom profiles are assigned. A user is assigned one or more profiles by the system administrator. These profiles define all of the user's system authorizations. When the user logins, the user record is checked.
Go through these links also
http://www.thespot4sap.com/Articles/SAP_BC_Authorization_Concept.asp
http://help.sap.com/saphelp_46c/helpdata/en/5c/deaa74d3d411d3970a0000e82de14a/content.htm
This link shows the steps in assigning authorization.
http://big4guy.com/index.php/2006/01/31/sap_authorization_concept_basics_5_easy
Hope that helped..
Cheers,
Susmitha
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.