Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Difference between Authorization Object and Group

Former Member

‎07-18-2007 9:27 AM

0 Kudos

Dear Consultants,

Please explain me the difference between Authorization Object and Authorization Group

2 REPLIES 2

Former Member

‎07-18-2007 1:35 PM

0 Kudos

An authorization object is the security object which has been coded in SAP ABAP to secure access to a certain area. For example, F_BKPF_BUK is an authorization object that is used to secure posting of FI docs by company code.

An authorization group is a term that is used in various areas in SAP such as table authorization groups or ABAP authorization groups. It essentially allows the security administrator to group data for the purposes of security. For example, S_TABU_DIS is the authorization object for table authorization groups - here you can enable access to a group of tables.

Former Member

‎07-18-2007 1:44 PM

0 Kudos

An authorization object is a control element for establishing authorizations for users.

It consists of 1 to 10 fields.

The authorization objects are listed in the table TOBJ.

The authorization group is an element for extra protection.

It can be found as a field value in several authorization objects.

These objects are optional objects in most cases.

If we take the object F_KNA1_BED as an example.

The object is for "customer : account Authorization"

and is related to several transactions

[table USOBT_C or transaction SU24].

The objects consists of two fields.

ACTVT [activity] and BEGRU [authorization group].

You can group customer master records and assign an authorization group

to these master records [on general or company code level].

In the above listed object you can enter now the authorization group into the field when creating an authorization, and with this the user will only have access to master records that have this authorization group assigned.

This is a simplified explanation. Hope this helps a bit.

Additional remark:

[An individual value will always be overruled by a "*", and all master records that are then not protected by an authorization group can be accessed in general].