Authorization Checks in Your Own Developments 

Each time a transaction is started, the system automatically checks for authorization object S_TCODE. This check is also executed for any transactions that you created yourself.

If you use the Profile Generator to generate your authorization profiles automatically, the authorizations for the authorization object S_TCODE are contained in the profiles.

Furthermore, you can add your own authorization checks to protect critical points in your ABAP programs.

The authorization check is not executed when the transaction is called indirectly, that is, from another transaction. Authorizations are not checked, for example, if a transaction calls another with the CALL TRANSACTION statement.

You should make sure that any security-critical transactions you call are always subject to authority checks.

Adding Authorization Checks to Programs

In order to maintain authorization objects and fields, you need access to the authorization object Authorizations (S_USER_AUT).

To add authorization checks to programs, you need to do the following:

  1. Create an Authorization Field
  2. Create an Authorization Object
  3. Assign an Authorization Object to an Object Class
  4. Program authority checks

Use the ABAP AUTHORITY-CHECK statement. Specify alphabetic values in uppercase letters: ABC. Test values from user master records are converted to uppercase before being passed to AUTHORITY-CHECK.

See the ABAP programming documentation for more information.