Authorizations 
Authorizations
End-users, system administrators, and translators must all be assigned the appropriate authorizations allowing them to work with the SAP Query.
For example, end-users must not be authorized to maintain InfoSets.
You can set up authorizations in such a way, that certain end-users in a user group are authorized to maintain and execute queries, while other members of the same user group are authorized only to execute existing queries.
In order to give individual users targeted, specific rights, the following options are available:
A user has to be assigned to one or more role or user group before he or she is able to work with the Queries component.
This means that a user is able to access only those InfoSets assigned to the roles or user groups to which the user belongs.
You can also use authorization object S_QUERY to assign authorizations to users.
It has the field ACTVT, in which the following values can be entered.
You can assign authorizations for each of these values.
Authorizations for the authorization object S_QUERY always refer to both work areas of the SAP Query.
If a user is given authorization to change queries, he or she is able to create and change queries in all the user groups to which he or she is assigned in both the standard area and the global area.
|
Activity: |
Authorization: |
|
Maintaining queries |
A user requires the authorization with the Change (02) value for authorization object S_QUERY if you want him or her to be able to use the Queries component to create or change queries. You cannot revoke this authorization for the corresponding user group. You can restrict the authorization to change objects to individual user groups only. See Assigning Users and InfoSets. |
|
Executing queries |
Users must be assigned to the role or user group in which a query was defined before he or she is able to execute this query. Users need the display authorization for authorization object S_TABU_DIS if you want them to be able to access tables directly whenever they execute queries. The field DICBERCLS must contain the authorization groups for the tables. This authorization object protects all tables from unauthorized access. These authorizations also allow you to use the Data Browser (transaction SE16) or the table maintenance (transaction SM31) to display tables. If tables that are components of a logical database are accessed, you can use the logical database to set up the authorizations for accessing data. For more information see  Logical Databases |
|
Maintaining InfoSets |
A user requires the authorization with the Maintain (23) value for authorization object S_QUERY if you want him or her to be able to work with the InfoSets component. The authorization for maintaining InfoSets is restricted so that a user wanting to store some ABAP code in an InfoSet can do this only if he or she has authorization for the authorization object S_DEVELOP with value 'PROG' for field OBJTYPE and with value AQ* for field OBJNAME. This authorization also enables you to use the ABAP editor to create or change programs whose names begin with AQ. If a user does not have this authorization, the only activities he or she can carry out are the following: selecting fields, connecting additional tables or structures, and defining parameters and selection criteria. |
|
Maintaining user groups |
A user requires the authorization with the Maintain (23) value for authorization object S_QUERY if you want him or her to be able to work with the User Groups component. |
|
Language comparison |
A user requires the authorization with the Translate (67) value for authorization object S_QUERY if you want him or her to be able to work with the Translation/Query component. |
Users who have authorization for the authorization object S_QUERY with both the values Change and Maintain, are able to access the queries in all the roles or user groups without being explicitly assigned to each of these roles or user groups.
