Authorization object that can be used to restrict access to tables on the basis of organizational criteria. Organizational criteria stand for business work areas (for example, country, plant, company code) and represent a connection between key fields of tables and the authorization fields of S_TABU_LIN.
This authorization object enables you to set up access authorization to specific rows of a table for a user. In addition, you can use an organizational criterion in one client for all tables to define that a user is only authorized to display and change the table contents of a specific business work area (for example, of a country).
The existence of organizational criteria is a prerequisite for the use of this authorization object. You define organizational criteria in Customizing under
SAP Web Application Server
→
System Administration
→
Users and Authorizations
→
Line-Oriented Authorizations
→
Define Organizational Criteria
Predefined organizational criteria already exist in the standard system. You can, however, define your own organizational criteria if required. SAP recommends that you refer to the predefined organizational criteria when you define your own organizational criteria.
Authorization at row level only has an effect if the associated organizational criterion is activated in the current client. Since organizational criteria are indeed defined on a cross-client basis but work on a client-specific basis, you must activate them for each client required. To activate organizational criteria in the current client, choose
SAP Web Application Server
→
System Administration
→
Users and Authorizations
→
Line-Oriented Authorizations
→
Activate Organizational Criteria
The object consists of the following fields:
Authorization Field |
Long Text |
---|---|
ORGKRIT |
Organizational criterion for key-specific authorizations |
ACTVT |
Activity |
ORG_FIELD1 |
1. Attribute for organizational criterion |
ORG_FIELD2 |
2. Attribute for organizational criterion |
ORG_FIELD3 |
3. Attribute for organizational criterion |
ORG_FIELD4 |
4. Attribute for organizational criterion |
ORG_FIELD5 |
5. Attribute for organizational criterion |
ORG_FIELD6 |
6. Attribute for organizational criterion |
ORG_FIELD7 |
7. Attribute for organizational criterion |
ORG_FIELD8 |
8. Attribute for organizational criterion |
TheORGKRITfield establishes the relationship to the key fields of the tables to which the line authorization refers. Possible values: all organizational criteria defined in Customizing and activated for the current client (see above). These values are displayed using the F4 help.
TheACTVTfield contains the permitted operations. The following values are possible:
02:Change (add, change, or delete table entries)
03:Display table contents
FieldsORG_FIELD1-8can however each contain a certain key field of a table. You can only enter values for as many attributes as are defined in the organizational criterion (at least one).
Possible values: field values for the key field of the table. You can enter several individual values and/or intervals.
The S_TABU_LIN authorization object enhances the S_TABU_DIS and S_TABU_CLI authorization objects. Whereas S_TABU_DIS has an effect on complete Customizing tables or maintenance views, you can use S_TABU_LIN to control access to individual table rows.
In this process, the authorization check of the maintenance transaction first checks the S_TABU_CLI and S_TABU_DIS authorization objects. If this is successful, the authorization check then checks whether organizational criteria were defined for the key fields of the tables. If this is the case, the authorization check checks whether authorization exists for values, that is value ranges, of the fields in question. Only those fields for which the complete authorization check has run successfully are displayed as the result.
Examples of the authorization check using S_TABU_LIN on the basis of the following organizational criteria:
Organizational Criterion |
Cross-Table |
Attribute |
Field |
---|---|---|---|
OC_COUNTRY |
X |
COUNTRY |
Table1-COUNTRY |
OC_EMP_SUB |
EMP.SUBGR. |
Table2-EMP_SUBGR |
|
OC_FOR_TAB_3_ONLY |
COUNTRY AREA PAY SCALE |
Table3-COUNTRY Table3-AREA Table3-PAY_SC_TYPE |
|
OC_WAGE_TYPE or OC_WAGE_TYPE_COUNTRY |
X X |
WAGE TYPE COUNTRY WAGE TYPE |
Table4-WAGE_TYPE Table1-COUNTRY Table4-WAGE_TYPE |
To define line authorization for certain countries, you simply require authorization for S_TABU_LIN withORGKRIT=OC_COUNTRY. Since the organizational criterion in this example is defined as cross-table (that is, not for table 1), it controls user access to each table that hasCOUNTRYdefined as the key field.
If you use the organizational criterionOC_EMP_SUBin addition toOC_COUNTRY, the authorization is also checked for this organizational criterion if a user accesses table 2. This check takes place exclusively for table 2, sinceOC_EMP_SUBis not defined as cross-table.
If in addition toOC_COUNTRY,you use the organizational criterionOC_FOR_TAB_3_ONLY, you can thus define an exception for access to table 3: In this case,OC_COUNTRYis not checked, as an authorization check for fieldCOUNTRYis already specifically defined for table 3 viaOC_FOR_TAB_3_ONLY
If you use the organizational criterionOC_WAGE_TYPEin addition toOC_COUNTRY, an authorization check is performed for this organizational criterion for all tables that have theWAGE_TYPEfield defined as the key field. If a user accesses table 4, the authorization forOC_COUNTRYis also checked.
If you use the organizational criterionOC_WAGE_TYPE_COUNTRYinstead ofOC_WAGE_TYPEin addition toOC_COUNTRY, an authorization check is performed for this organizational criterion for those tables only that haveWAGE_TYPEandCOUNTRYdefined as key fields. The authorization check forOC_WAGE_TYPE_COUNTRYis, for example, not performed for table 2 since table 2 does not contain the fields defined for it.