Solved: SAP security mechanism

Former Member · ‎07-05-2007

Hi,

Inspite of best effort, still i am unable to understand SAP authorization mechanisms.

Can anybody explain what really happens as soon as we type a Tcode. What i want is the flow

of events(for authorizations) that SAP does for completing the transaction. Also, please explain with an example what really does s_tcode object does?

Thanks

Ramakrishna

Former Member · ‎07-05-2007

probably best thing to do would be for you to get hold of a copy of authorisations made easy or go on course ADM940, but in the meantime this is a rough outline

User Types FB01 -> kernel level check is performed against the user buffer for auth object S_TCODE value FB01. This is a hard coded check that forms the first level of security.

Assume check is satisfied it starts to execute the code.

When the code reaches an authority-check statement it will check the auth object and values against the user buffer.

Lets say it hits F_BKPF_BUK and it wants to create for company code 1000

SAP will evaluate the user buffer for an authorisation value set that contains F_BKPF_BUK ACTVT 01 (create) BUKRS 1000

If sucessful the code will continue on whatever path is chosen (Post document for example).

If unsuccessful (SY-SUBRC NE 0) the code will continue on the path that is coded for that situation, often giving a message that a user is not authorised.

Hope that answers both questions.

Former Member · ‎07-05-2007

probably best thing to do would be for you to get hold of a copy of authorisations made easy or go on course ADM940, but in the meantime this is a rough outline

User Types FB01 -> kernel level check is performed against the user buffer for auth object S_TCODE value FB01. This is a hard coded check that forms the first level of security.

Assume check is satisfied it starts to execute the code.

When the code reaches an authority-check statement it will check the auth object and values against the user buffer.

Lets say it hits F_BKPF_BUK and it wants to create for company code 1000

SAP will evaluate the user buffer for an authorisation value set that contains F_BKPF_BUK ACTVT 01 (create) BUKRS 1000

If sucessful the code will continue on whatever path is chosen (Post document for example).

If unsuccessful (SY-SUBRC NE 0) the code will continue on the path that is coded for that situation, often giving a message that a user is not authorised.

Hope that answers both questions.

Former Member · ‎07-05-2007

That's too funny looks like Alex had the exact same FB01 example...

Former Member · ‎07-05-2007

how bizarre, I preferred your answer though!

Former Member · ‎07-05-2007

Rama,

Different transactions may operate differently, but here is a quick example of what happens when a tcode is run.

Run transaction FB01 (Post Document) and the system checks object S_TCODE for value FB01.

Then the user fills out the transaction Document type, company code ect and clicks save. At this point the additional authorization objects are called for relevant company code (F_BKPF_BUK) and document type (F_BKPF_BLA). If the user fails on these checks and error is reported and the document will not save. If the authorization checks are sucessfull then the document will save.

Object S_TCODE is the security object that is checked when a tcode is executed. The only field in the object is transaction code (TCD). Some transactions may actually check more than one tcode. VA01 (sales order) actually checks many tcodes as since the sales order screen has different areas of functionality and only allows access to the different areas if the authorization check was successful.

SAP online info:

http://help.sap.com/saphelp_nw70/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htm

ADM940 Training class

http://www50.sap.com/useducation/curriculum/course.asp?cid=60173703