Hi Imanol,

Here I have put some information about Authorizations per definition (would like to send you the link but I have it locally on my laptop). anyways, here it goes and hope it helps you.

-

' A person can log on to a client of an SAP system if they know the

user/password combination for a user master record.

In the SAP system, there is an authorization check every time a transaction

is called. If a user attempts to start a transaction for which he or she is not

authorized, the system rejects the user with an appropriate error message.

If the user starts a transaction for which he or she has authorization, the system

displays the initial screen of this transaction. Depending on the transaction

called, the user enters data and performs actions on this screen. Additional

authorization checks are made for data and actions that are to be protected.

Users are assigned authorizations using roles. The authorizations are

combined in roles and the roles are entered in the user master record.'

About Authorizations Objects:

'Actions and the access to data are protected by authorization objects in the

SAP system. The authorization objects are delivered by SAP and are in SAP

systems. To provide a better overview, authorization objects are divided into

various object classes.

Authorization objects allow complex checks that involve multiple conditions

that allow a user to perform an action. The conditions are specified in

authorization fields for the authorization objects and are AND linked for the

check. Authorization objects and their fields have descriptive and technical

names. In the example in the figure, the authorization object “User master

maintenance: User Groups” (technical name: S_USER_GRP) contains the two

fields “Activity” (technical name: ACTVT) and “User Group in User Master

Record” (technical name: CLASS). The authorization object S_USER_GRP

protects the user master record. An authorization object can include up to ten

authorization fields.

An authorization is always associated with exactly one authorization

object and contains the value for the fields for the authorization object. An

authorization is a permission to perform a certain action in the SAP system.

The action is defined on the basis of the values for the individual fields

of an authorization object. For example: Authorization B in the figure for

authorization object S_USER_GRP allows the display of all user master

records that are not assigned to the user group SUPER.

There can be multiple authorizations for one authorization object. Some

authorizations are delivered by SAP, but the majority are created specifically

for the customer’s requirements.

When a user logs on to a client of an SAP system, his or her authorizations are

loaded in the user context. The user context is in the user buffer (in the main

memory) of the application server.

When the user calls a transaction, the system checks whether the user has an

authorization in the user context that allows him or her to call the selected

transaction. Authorization checks use the authorizations in the user context.

If the user is assigned new authorizations, he or she must log on to the SAP

system again to use these.

If the authorization check for calling a transaction was successful, the system

displays the initial screen of the transaction. Depending on the transaction,

the user can create data or select actions. When the user completes his or

her dialog step, the data is sent to the dispatcher, which passes it to a dialog

work process for processing. Authority checks (AUTHORITY-CHECK) that

are checked during runtime in the work process are built into the coding

by the ABAP developers for data and actions that are to be protected. If

the user context contains all required authorizations for the checks, the

data and actions are processed and the user receives the next screen. If one

authorization is missing, the data and actions are not processed and the user

receives a message that his or her authorizations are insufficient.

All authorizations are permissions. There are no authorizations for

prohibiting. Everything that is not explicitly allowed is forbidden.'