Show TOC

Scenario-Based Authorization ChecksLocate this document in the navigation structure

Delivering new authorization checks in existing SAP coding causes pain and disruption in existing SAP landscapes. To ease the pain of our customers, we provide a mechanism called scenario-based authorization checks.

New authorization checks have always posed problems for our customers. New authorization checks in existing coding break existing authorization concepts in business processes, forcing our customers to adapt roles and profiles. In the meantime business interruptions were unavoidable.

Reasons for delivering new authorization checks is necessary reasons, such as the following:

  • When you created your application, you did not cover all possible cases.

  • New legal requirements force you to update your application.

  • New technical advances provide the means to bypass by your existing security concept.

SAP or your own custom development can use scenario-based authorization checks to deliver new authorization checks for existing applications or business processes in an initially inactive state, enabling you to plan for and customize the implementation of the authorization checks in existing authorization concepts.

The scenario-based authorization check framework enables you to do the following:

  • Do nothing.

    The scenarios are delivered inactively. It is up to you to decide if and how you want to activate them.

  • Activate the new authorization checks delivered by SAP or your custom development after existing roles and profiles have been adapted.

  • Run through the scenario in trace mode to see what changed authorizations are necessary for you and decide on the authorization checks individually.

What the Developer Does

When the developer realizes the need for new authorization checks in his or her coding, the developer uses the method CL_SACF=>AUTH_CHECK_SPEC in the coding. With this method, the developer specifies a scenario name and the conditions under which the new authorization checks are called. Then for each scenario, the developer delivers a scenario definition. The scenario definition contains the new authorization checks. Definitions are development objects delivered by transports or file upload.

What the Administrator Does

After importing the new developments into your system, you can activate the scenario as it is or modify the suggested authorization checks in the scenario according to your needs. Activation and modification is a customizing activity. Once activated the you can transport the activated scenarios as customizing objects to other systems in your system landscape.