Show TOC

Editing Authorization Default Data (Customer System)Locate this document in the navigation structure

Customers can use transaction SU24 to edit the default data delivered by SAP developers or to maintain default data for applications they have developed themselves.

It displays a list of the authorization objects for the selected application. For SAP deliveries, it displays the SAP default data, and for customer developments, it displays an empty list. You can modify the data delivered by SAP. You can also use the procedure below for your own developments.

Procedure

  1. Start the maintenance tool for authorization default data (transaction SU24.

  2. On the Application tab, specify the applications for which you want to edit the default data, and choose Execute.

  3. To display the assignment of authorization objects to an application, select the application under Selection Result by double-clicking it.

    The system displays the authorization data delivered by SAP or the modified by the customer.

    More information: First Installation Procedure.

Comparing Data with the Data Delivered by SAP

If you have already modified authorization data in transaction SU24, you can compare it with the data delivered by SAP by choosing Compare with SAP Data. In change mode, you can transfer the SAP default status. If the object is delivered with the authorization default status Yes, and you have maintained it with this status, you can transfer its authorization default values.

Manually Adding Authorization Objects

If you want to include additional relevant authorization objects in the list of objects, choose the Object button and then Start of the navigation path Object Next navigation step Add Authorization Object End of the navigation path.

To remove the assignment of a manually-added authorization object, select the line, choose the Object button, and then Start of the navigation path Object Next navigation step Remove Authorization Object End of the navigation path.

Adding Authorization Objects Using the Authorization Trace

You can activate an authorization trace in your system to log authorization checks that are performed by applications. For more information about these traces, refer to Traces for Authorization Checks. To include objects from the authorization trace in the list, in change mode, choose the Object button and then Add Object from Trace. You can evaluate the authorization trace from the local system or from a remote system.

Setting the Authorization Default Status of Objects

Authorization objects for which you have not yet maintained an authorization default status do not have an entry in the Proposal column.

To change a default status, select one or more lines on the Authorization Objects tab page, and use the Proposal button to choose one of the following statuses.

  • No

    This status indicates that a user does not require an authorization for this object in order to execute the core functionality of this application. Do not confuse this with the check indicator for transactions with which the check is deactivated. For more information about check indicators, refer to the section Editing Check Indicators for Objects.

    If the administrator adds the application to a role, the Profile Generator does not place an authorization for this object in the role.

  • Yes

    This status indicates that a user requires an authorization for this object in order to execute the core functionality of this application. If the administrator adds the application to a role, the Profile Generator adds an authorization for this object in the role. The consequence is that the Profile Generator includes an authorization for this authorization object in the role authorizations using the delivered authorization default values. The fields of the authorizations are predefined with the proposed values. If you do not specify any values, you can specify Yes, Without Values. Deliver default values for the fields of the authorization object for which you know which values will be checked. Leave fields empty if you can only specify them in roles.

  • Yes, Without Values

    This status indicates that a user requires an authorization for this object in order to execute the core functionality of the application. However, the object contains only fields that can only be filled when specifying the role.

    If the administrator adds the application to a role, the Profile Generator places an empty authorization for this object in the role.

Guidelines for Setting the Default Status

  • Authorization objects that you explicitly check in your own code with AUTHORITY-CHECK usually receive the authorization default status Yes or Yes, Without Values.

  • If users cannot use the core functionality of an application without a particular authorization, you need to assign the default status Yes or Yes, Without Values for this authorization object.

  • If an authorization object is specified in transaction SE93 in the definition of a transaction as an additional start authorization check, you need to assign the authorization default status Yes to this authorization object in transaction SU24. As default values for the field values, set at least the values entered in transaction SE93.

  • Basis and HR authorization objects that are checked outside HR or Basis applications usually receive the authorization default status No.

  • The start authorization check is a special case and affects the authorization objects S_TCODE, S_START, S_RFC, and S_SERVICE. If you transfer authorization objects from the authorization trace, the start authorization object for an application is also always transferred (that is, for example, S_TCODE for transactions). You do not need to set the authorization default status Yes for these authorization objects. Since the Profile Generator automatically inserts a start authorization for your application into the role, you do not need to enter the name of your application as the authorization default value. Set the authorization default status to No.

Editing Authorization Default Values

You have the following options:

  • To display authorization objects with the default status Yes, double-click the Yes field. Alternatively, select one or more lines in edit mode, choose the Default button and then the relevant status.

  • To start the trace evaluation tool, choose the Evaluate Trace button. The trace evaluation displays the recorded authorization checks including the checked authorization values. You can copy relevant values. You can use both the authorization and the system traces for this purpose. You can use both traces either locally or in a remote system. More information: Maintaining Authorization Default Values Using Trace Evaluation in Transaction SU22 or SU24 or in the system by choosing the information button in transaction SU22.

Guidelines for Setting the Default Values

  • For fields that describe activities or other fixed values, enter the values that the system checks during the authorization check for your application.

  • For authorization objects that contain the activity field ACTVT, enter only activities that the developer stored as permitted activities in the definition of the authorization object.

  • Fields that describe organizational units are automatically filled with a corresponding variable, $VARIABLENNAME, that the system later fills when a role is created. Leave this variable name unchanged.

  • Leave fields empty if you only want to fill them when specifying a role.

  • In the case of authorization object fields that are not used by your application, that the system checks against DUMMY in the ABAP statement AUTHORITY-CHECK, enter the value ' ' with quotation marks or, for fields with a length of 1, a single quotation mark ( ').

  • If you are not able to specify authorization default values for any field of an authorization object (for example, because the authorization object only has Customizing fields), set the authorization default status to Yes, Without Values instead of Yes. If an authorization administrator includes your application in a role, the Profile Generator places an authorization for this object in a role, but does not predefine any fields with a default value.

Editing Check Indicators for Objects

In the case of transactions, you can also control the authorization check with check indicators that are set for each authorization object.

To change a check indicator, select one or more lines on the Authorization Objects tab page, and use the Check Indicator button to choose one of the following statuses:

  • Check

    Default check indicator

  • Do not check

    The authorization check for this authorization object is deactivated. The system does not check whether the user has a suitable authorization.

    Applies for a particular authorization object for a transaction and means that the authorization check for this object is deactivated for this transaction and is therefore always successful. This means that the ABAP statement AUTHORITY-CHECK always returns sy-subrc=0, meaning that the authorization check has no effect. The check therefore does not determine whether the user has a suitable authorization. Therefore set this value only in exceptional cases. It is never permissible for Basis and HR authorization objects. If a transaction cannot be used without a specific authorization, it is usually wrong to assign the check indicator Do Not Check for this authorization object. Instead, leave the check indicator set to Check, set the authorization default status to Yes, and assign appropriate authorization default values. In this way, the users receive a suitable authorization if an administrator adds the transaction to a role. If you cannot specify any meaningful authorization default values, set the authorization default status Yes, Without Values.