Start of Content Area

Object documentation S_TABU_LIN (Authorization for Organizational Unit) Locate the document in its SAP Library structure

Definition

Authorization object that can be used to restrict access to tables on the basis of organizational criteria. Organizational criteria stand for business work areas (for example, country, plant, company code) and represent a connection between key fields of tables and the authorization fields of S_TABU_LIN.

Use

This authorization object enables you to set up access authorization to specific rows of a table for a user. In addition, you can use an organizational criterion in one client for all tables to define that a user is only authorized to display and change the table contents of a specific business work area (for example, of a country).

Prerequisites

The existence of organizational criteria is a prerequisite for the use of this authorization object. You define organizational criteria in the SAP R/3 Customizing under SAP Web Application Server System Administration Users and Authorizations Line-Oriented Authorizations Define Organizational Criteria.

Note

Predefined organizational criteria already exist in the standard system. You can, however, define your own organizational criteria if required. SAP recommends that you refer to the predefined organizational criteria when you define your own organizational criteria.

Authorization at row level only has an effect if the associated organizational criterion is activated in the current client. Since organizational criteria are indeed defined on a cross-client basis but work on a client-specific basis, you must activate them for each client required. To activate organizational criteria in the current client, choose SAP Web Application Server System Administration Users and Authorizations Line-Oriented Authorizations Activate Organizational Criteria.

Structure

The object consists of the following fields:

Authorization Field

Long Text

ORGKRIT

Organizational criterion for key-specific authorizations

ACTVT

Activity

ORG_FIELD1

1. Attribute for organizational criterion

ORG_FIELD2

2. Attribute for organizational criterion

ORG_FIELD3

3. Attribute for organizational criterion

ORG_FIELD4

4. Attribute for organizational criterion

ORG_FIELD5

5. Attribute for organizational criterion

ORG_FIELD6

6. Attribute for organizational criterion

ORG_FIELD7

7. Attribute for organizational criterion

ORG_FIELD8

8. Attribute for organizational criterion

More Information About the Fields

         The ORGKRIT field establishes the relationship to the key fields of the tables to which the line authorization refers. Possible values: All organizational criteria defined in Customizing and activated for the current client (see above). These values are displayed using the F4 help.

         The ACTVT field contains the permitted operations. The following values are possible:

02: Change (add, change or delete table entries)

03: Display table contents

         Fields ORG_FIELD1-8 can however each contain a certain key field of a table. You can only enter values for as many attributes as are defined in the organizational criterion (at least one).

Possible values: Field values for the key field of the table. You can enter several individual values and/or intervals.

Integration

The S_TABU_LIN authorization object enhances the S_TABU_DIS and S_TABU_CLI authorization objects. Whereas S_TABU_DIS has an effect on complete Customizing tables or maintenance views, you can use S_TABU_LIN to control access to individual table rows.

In this process, the authorization check of the maintenance transaction first checks the S_TABU_CLI and S_TABU_DIS authorization objects. If this is successful, the authorization check then checks whether organizational criteria were defined for the key fields of the tables. If this is the case, the authorization check checks whether authorization exists for values, that is value ranges, of the fields in question. Only those fields for which the complete authorization check has run successfully are displayed as the result.

Example

Examples of the authorization check using S_TABU_LIN on the basis of the following organizational criteria:

Organizational Criterion

Cross-Table

Attribute

Field

OC_COUNTRY

X

COUNTRY

Table1-COUNTRY

OC_EMP_SUB

 

EMP. SUBGR.

Table2-EMP_SUBGR

OC_FOR_TAB_3_ONLY

 

COUNTRY

AREA

PAY SCALE

Table3-COUNTRY

Table3-AREA

Table3-PAY_SC_TYPE

OC_WAGE_TYPE

or

OC_WAGE_TYPE_COUNTRY

X

 

X

WAGE TYPE

 

COUNTRY

WAGE TYPE

Table4-WAGE_TYPE

 

Table1-COUNTRY

Table4-WAGE_TYPE

To define line authorization for certain countries, you simply require authorization for S_TABU_LIN with ORGKRIT = OC_COUNTRY. Since the organizational criterion in this example is defined as cross-table (that is, not for table 1), it controls user access to each table that has COUNTRY defined as the key field.

If you use the organizational criterion OC_EMP_SUB in addition to OC_COUNTRY, the authorization is also checked for this organizational criterion if a user accesses table 2. This check takes place exclusively for table 2, since OC_EMP_SUB is not defined as cross-table.

If you use the organizational criterion OC_FOR_TAB_3_ONLY in addition to OC_COUNTRY, you can use it to define an exception for accesses to table 3. In this case, OC_COUNTRY is not checked since an authorization check of the COUNTRY field is already defined specially for table 3 using OC_FOR_TAB_3_ONLY.

If you use the organizational criterion OC_WAGE_TYPE in addition to OC_COUNTRY, an authorization check is performed for this organizational criterion for all tables that have the WAGE_TYPEfield defined as the key field. If a user accesses table 4, the authorization for OC_COUNTRY is also checked.

If you use the organizational criterion OC_WAGE_TYPE_COUNTRY instead of OC_WAGE_TYPE in addition to OC_COUNTRY, an authorization check is performed for this organizational criterion for those tables only that have WAGE_TYPEand COUNTRY defined as key fields. The authorization check for OC_WAGE_TYPE_COUNTRY is, for example, not performed for table 2 since table 2 does not contain the fields defined for it.

 

 

End of Content Area