07-05-2007 2:35 PM
Hi,
Inspite of best effort, still i am unable to understand SAP authorization mechanisms.
Can anybody explain what really happens as soon as we type a Tcode. What i want is the flow
of events(for authorizations) that SAP does for completing the transaction. Also, please explain with an example what really does s_tcode object does?
Thanks
Ramakrishna
07-05-2007 2:53 PM
probably best thing to do would be for you to get hold of a copy of authorisations made easy or go on course ADM940, but in the meantime this is a rough outline
User Types FB01 -> kernel level check is performed against the user buffer for auth object S_TCODE value FB01. This is a hard coded check that forms the first level of security.
Assume check is satisfied it starts to execute the code.
When the code reaches an authority-check statement it will check the auth object and values against the user buffer.
Lets say it hits F_BKPF_BUK and it wants to create for company code 1000
SAP will evaluate the user buffer for an authorisation value set that contains F_BKPF_BUK ACTVT 01 (create) BUKRS 1000
If sucessful the code will continue on whatever path is chosen (Post document for example).
If unsuccessful (SY-SUBRC NE 0) the code will continue on the path that is coded for that situation, often giving a message that a user is not authorised.
Hope that answers both questions.
07-05-2007 2:53 PM
probably best thing to do would be for you to get hold of a copy of authorisations made easy or go on course ADM940, but in the meantime this is a rough outline
User Types FB01 -> kernel level check is performed against the user buffer for auth object S_TCODE value FB01. This is a hard coded check that forms the first level of security.
Assume check is satisfied it starts to execute the code.
When the code reaches an authority-check statement it will check the auth object and values against the user buffer.
Lets say it hits F_BKPF_BUK and it wants to create for company code 1000
SAP will evaluate the user buffer for an authorisation value set that contains F_BKPF_BUK ACTVT 01 (create) BUKRS 1000
If sucessful the code will continue on whatever path is chosen (Post document for example).
If unsuccessful (SY-SUBRC NE 0) the code will continue on the path that is coded for that situation, often giving a message that a user is not authorised.
Hope that answers both questions.
07-05-2007 3:01 PM
07-05-2007 3:03 PM
07-05-2007 3:00 PM
Rama,
Different transactions may operate differently, but here is a quick example of what happens when a tcode is run.
Run transaction FB01 (Post Document) and the system checks object S_TCODE for value FB01.
Then the user fills out the transaction Document type, company code ect and clicks save. At this point the additional authorization objects are called for relevant company code (F_BKPF_BUK) and document type (F_BKPF_BLA). If the user fails on these checks and error is reported and the document will not save. If the authorization checks are sucessfull then the document will save.
Object S_TCODE is the security object that is checked when a tcode is executed. The only field in the object is transaction code (TCD). Some transactions may actually check more than one tcode. VA01 (sales order) actually checks many tcodes as since the sales order screen has different areas of functionality and only allows access to the different areas if the authorization check was successful.
SAP online info:
http://help.sap.com/saphelp_nw70/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htm
ADM940 Training class
http://www50.sap.com/useducation/curriculum/course.asp?cid=60173703