SAP Query Authorizations 

End users, system administrators, and translators must all have appropriate authorizations to use SAP Query. For example, it would not make sense for end-users to have the authorization to maintain InfoSets.

Also, it can be desirable to set up authorizations within a user group in such a way that some end-users can maintain and execute queries, while others can only execute existing queries.

SAP Query has two means of assigning authorizations to individuals:

To be able to use the component Maintain Queries, you must be a member of at least one user group. In all other user groups, maintenance may only be performed after your user name has been explicitly assigned to them. This means that you can only access certain InfoSets.

You can also assign authorizations using the authorization object S_QUERY.

This authorization object contains a field ACTVT, which can accept the values Change (02), Maintain (23) and Translate (67). You can assign authorizations for this authorization object.

Authorizations for this object always refer to both work areas. If a user has authorization to change queries, this means that he or she can initially create and change queries in all user groups within the standard and global areas for which he or she has been entered.

Action:

Authorization:

Maintaining Queries

To be able to create new queries or modify existing ones in the component Maintain Queries, users must have an authorization for the authorization object S_QUERY with the value Change (02). This authorization must also be confirmed for the corresponding user group, that is, not revoked.

Authorization to change objects can, however, in addition be explicitly restricted to individual user groups (see Assigning Users and InfoSets).

Executing Queries

If a query accesses a certain table when it is run, the user needs display authorization for authorization object S_TABU_DIS. Field DICBERCLS must contain the table’s authorization groups.

This authorization object protects all tables from unauthorized access. If you are accessing tables that are part of a logical database, authorization for data access can be set up using the logical database. Further information can be found under Logical Databases

This is the same authorization that you need in order to be able to display tables using either the Data Browser (transaction SE16) or the initial table maintenance screen (transaction SM31).

Maintaining InfoSets

The component Maintaining InfoSets can only be accessed by users with authorization for the authorization object S_QUERY and the appropriate value for Maintenance (23)

The authorization for maintaining InfoSets is restricted in such a way that a user wanting to store some ABAP code in an InfoSet can do this only if s/he has authorization for maintaining the authorization object S_DEVELOP with value 'PROG' for field OBJTYPE and with value 'AQ*' for field OBJNAME.

This is the same authorization that you need in order to be able to use the ABAP Editor to create or change programs whose names begin with 'AQ'.

If s/he does not have this authorization, then s/he can only select fields, connect additional tables or structures and define parameters and selection criteria.

Maintaining User Groups

The component Maintain User Groups can only be accessed by users with authorization for the authorization object S_QUERY and the appropriate value for Maintenance (23)

Language Comparison

The component Language Comparison can only be accessed by users with authorization for the authorization object S_QUERY and the appropriate value for Translation (67).

Users who have authorization for the authorization object S_QUERY with both the values Change and Maintain, can access all queries of all user groups without being explicitly entered in each user group.