Entering content frameChecking Authorizations Locate the document in its SAP Library structure

SQL-Anweisungen

Berechtigungskonzept

Berechtigungsprüfungen

In an ABAP program, there are no automatic authorization checks associated with Open SQL statements. This can cause problems, since Open SQL and Native SQL statements allow unrestricted access to all database tables.

Caution

Not all users should have authorization to access all data that is available by using the SQL statements that they are allowed to use. However, once you have released a program, any user with authorization for it can run it. This means that the programmer is responsible for checking that the user is authorized to access the data that the program processes.

To check the authorization of the user of an ABAP program, use the AUTHORITY-CHECK statement:

AUTHORITY-CHECK OBJECT '<object>'
                        ID '<name1>' FIELD <f1>
                        ID '<name2>' FIELD <f2>
                            .............
                        ID '<name10>' FIELD <f10>.

<object> is the name of the object that you want to check. You must list the names (<name1>, <name2> ...) of all authorization fields that occur in <object>. You can enter the values <f 1 >, <f 2 >.... for which the authorization is to be checked either as variables or as literals. The AUTHORITY-CHECK statement checks the user’s profile for the listed object, to see whether the user has authorization for all values of <f>. Then, and only then, is SY-SUBRC set to 0. You can avoid checking a field by replacing FIELD <f> with DUMMY. You can only evaluate the result of the authorization check by checking the contents of SY-SUBRC. For a list of the possible return values and further information, see the keyword documentation for the AUTHORITY-CHECK statement. For further general information about the SAP authorization concept, refer to Users and Authorizations.

Example

There is an authorization object called F_SPFLI. It contains the fields ACTVT, NAME, and CITY.

SELECT * FROM SPFLI.
   AUTHORITY-CHECK OBJECT 'F_SPFLI'
                        ID 'ACTVT'  FIELD '02'
                        ID 'NAME' FIELD SPFLI-CARRID
                        ID 'CITY'   DUMMY.
   IF SY-SUBRC NE 0. EXIT. ENDIF.
ENDSELECT.

If the user has the following authorizations for F_SPFLI:

ACTVT 01-03, NAME AA-LH, CITY none,

and the value of SPFLI-CARRID is not between "AA" and "LH", the authorization check terminates the SELECT loop.

 

 

 

 

Leaving content frame