Authorization object is created in tcode SU21. And authorization fields are created in SU20.

For each authorization object, we insert a number of fields. If the field for which we want to create authoriztion is not there, we create that field in SU20.

Eg : F_BKPF_BLA is an authorization object which has two fields, authorization group(BRGRU) and activity(ACTVT). Using this authorization object, you determine with which document type line items can be posted and processed.

Authorizations are created for this object giving the value permitted for each field

eg authorization 1 - S_AUTH_1

• activity - 01

• BRGRU - authorization group

Users have this authorization can perform activity 01, that is creating.

authorization S_AUTH_2

*activity - 01, 02, 03.

• BRGRU - authorization group

Users having this authorization can perform activities 01, 02 and 03, that is create, change and display.

A profile is created to store the authorizations and transactions allowed for a particular user(by defining the role). This is done using transaction PFCG. And this profile name is maintained in the user record for each user.

When the user logins, the user record is checked.

Every time an action is taken by the user, an authority-check command must be called in the program

AUTHORITY-CHECK OBJECT 'F_BKPF_BLA'

ID 'BRGRU' FIELD T003-BRGRU

ID 'ACTVT' FIELD '03'.

Now, for this particular login, if an authorization for the given value is present, the transaction is accepted. Else the check fails and the action will not be allowed for the user.

For eg, if authorization S_AUTH_1 is there in the profile for that user, then this is allowed. But if only S_AUTH_2 is there, then the check fails.

******************************

Based on roles and authorization concept

Users are assigned to roles

Roles contain authorizations

Authorizations are defined for authorization objects

The system checks authorization objects against the

authorizations of the user

Driven by:

InfoProviders

Queries

Data

Different business purpose and goals than OLTP

Focused on displaying, planning, and analyzing data

Use authorization object S_RS_AUTH for the assignment of

authorizations to roles

Maintain the authorizations as values for field BIAUTH

If User 1 is chosen and Authorization Objects 1 and 2 should be migrated, you have to choose User 2 as well in order to have a complete user group

Create new profiles

Generation of profiles based on authorization object S_RS_AUTH that

contains the new, migrated authorizations

Preserves the existing role concept and adds new profiles to the role

Generated profiles have prefix RSR_

Extend existing profiles

Existing profiles will be extended by

authorization object S_RS_AUTH

Undo migration

All migrated authorizations and profiles

will be deleted; extended profiles contain

empty authorization object R_RS_AUTH

containing the migrated authorizations

******************************

SAP authorization concept :

http://help.sap.com/saphelp_nw04/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htm

Please go through the presentation.

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9d...

Follow these steps:

1.before going to authorizations u have to decide on which Infoobject u have to apply authorizations.

EX: SD--- Sales Org, MM -> palnt ,purorg,FI> companycode.

first u ahve to decide which area & on which Infoobject.

2.goto that Infoobject --> change there check the checkbox Authorization relavent object cahechbox

2.after that U Have to goto RSSM there u have to create authorization object

Ex: Zxxx ( XXX is Infoobject Name Ex :0compcode).

3. In the same transaction Screen u have Infocube selection radio Button check that then select on which cube(cube means under that cube all Quaries) u have to make authorization for that perticuler Infoobject.

4.next goto PFCG create role & save it

5.goto Authorization tab in that selct edit authorization it will give automatiaclly authorization Templates in that u have to select only S_RS_RREPU & press Enter.

6. Select manual pushbutton it will ask authorisation object enter ur authorization object what u have created ( zxxx) .

7.click generate +enter

8. goto user tab Enter userId+enter + click on usercomparision+ enter

9.save the role.

Regards

vasu