S_TABU_LIN (Authorization for Organizational
Unit) 
Definition
Authorization object that can be used to restrict access to tables on the basis of organizational criteria. Organizational criteria stand for business work areas (for example, country, plant, company code) and represent a connection between key fields of tables and the authorization fields of S_TABU_LIN.
Use
This authorization object enables you to set up access authorization to specific rows of a table for a user. In addition, you can use an organizational criterion in one client for all tables to define that a user is only authorized to display and change the table contents of a specific business work area (for example, of a country).
Prerequisites
The existence of organizational criteria is a prerequisite for the use of this authorization object. You define organizational criteria in the SAP R/3 Customizing under SAP Web Application Server ® System Administration ® Users and Authorizations ® Line-Oriented Authorizations ® Define Organizational Criteria.
Predefined organizational criteria already exist in the standard system. You can, however, define your own organizational criteria if required. SAP recommends that you refer to the predefined organizational criteria when you define your own organizational criteria.
Authorization at row level only has an effect if the associated organizational criterion is activated in the current client. Since organizational criteria are indeed defined on a cross-client basis but work on a client-specific basis, you must activate them for each client required. To activate organizational criteria in the current client, choose SAP Web Application Server ® System Administration ® Users and Authorizations ® Line-Oriented Authorizations ® Activate Organizational Criteria.
Structure
The object consists of the following fields:
|
Authorization Field |
Long Text |
|
ORGKRIT |
Organizational criterion for key-specific authorizations |
|
ACTVT |
Activity |
|
ORG_FIELD1 |
1. Attribute for organizational criterion |
|
ORG_FIELD2 |
2. Attribute for organizational criterion |
|
ORG_FIELD3 |
3. Attribute for organizational criterion |
|
ORG_FIELD4 |
4. Attribute for organizational criterion |
|
ORG_FIELD5 |
5. Attribute for organizational criterion |
|
ORG_FIELD6 |
6. Attribute for organizational criterion |
|
ORG_FIELD7 |
7. Attribute for organizational criterion |
|
ORG_FIELD8 |
8. Attribute for organizational criterion |
More Information About the Fields
· The ORGKRIT field establishes the relationship to the key fields of the tables to which the line authorization refers. Possible values: All organizational criteria defined in Customizing and activated for the current client (see above). These values are displayed using the F4 help.
· The ACTVT field contains the permitted operations. The following values are possible:
02: Change (add, change or delete table entries)
03: Display table contents
· Fields ORG_FIELD1-8 can however each contain a certain key field of a table. You can only enter values for as many attributes as are defined in the organizational criterion (at least one).
Possible values: Field values for the key field of the table. You can enter several individual values and/or intervals.
Integration
The S_TABU_LIN authorization object enhances the S_TABU_DIS and S_TABU_CLI authorization objects. Whereas S_TABU_DIS has an effect on complete Customizing tables or maintenance views, you can use S_TABU_LIN to control access to individual table rows.
In this process, the authorization check of the maintenance transaction first checks the S_TABU_CLI and S_TABU_DIS authorization objects. If this is successful, the authorization check then checks whether organizational criteria were defined for the key fields of the tables. If this is the case, the authorization check checks whether authorization exists for values, that is value ranges, of the fields in question. Only those fields for which the complete authorization check has run successfully are displayed as the result.
Example
Examples of the authorization check using S_TABU_LIN on the basis of the following organizational criteria:
|
Organizational Criterion |
Cross-Table |
Attribute |
Field |
|
OC_COUNTRY |
X |
COUNTRY |
Table1-COUNTRY |
|
OC_EMP_SUB |
|
EMP. SUBGR. |
Table2-EMP_SUBGR |
|
OC_FOR_TAB_3_ONLY |
|
COUNTRY AREA PAY SCALE |
Table3-COUNTRY Table3-AREA Table3-PAY_SC_TYPE |
|
OC_WAGE_TYPE or OC_WAGE_TYPE_COUNTRY |
X
X |
WAGE TYPE
COUNTRY WAGE TYPE |
Table4-WAGE_TYPE
Table1-COUNTRY Table4-WAGE_TYPE |
To define line authorization for certain countries, you simply require authorization for S_TABU_LIN with ORGKRIT = OC_COUNTRY. Since the organizational criterion in this example is defined as cross-table (that is, not for table 1), it controls user access to each table that has COUNTRY defined as the key field.
If you use the organizational criterion OC_EMP_SUB in addition to OC_COUNTRY, the authorization is also checked for this organizational criterion if a user accesses table 2. This check takes place exclusively for table 2, since OC_EMP_SUB is not defined as cross-table.
If you use the organizational criterion OC_FOR_TAB_3_ONLY in addition to OC_COUNTRY, you can use it to define an exception for accesses to table 3. In this case, OC_COUNTRY is not checked since an authorization check of the COUNTRY field is already defined specially for table 3 using OC_FOR_TAB_3_ONLY.
If you use the organizational criterion OC_WAGE_TYPE in addition to OC_COUNTRY, an authorization check is performed for this organizational criterion for all tables that have the WAGE_TYPEfield defined as the key field. If a user accesses table 4, the authorization for OC_COUNTRY is also checked.
If you use the organizational criterion OC_WAGE_TYPE_COUNTRY instead of OC_WAGE_TYPE in addition to OC_COUNTRY, an authorization check is performed for this organizational criterion for those tables only that have WAGE_TYPEand COUNTRY defined as key fields. The authorization check for OC_WAGE_TYPE_COUNTRY is, for example, not performed for table 2 since table 2 does not contain the fields defined for it.