Entering content frame

Authorization Concept Locate the document in its SAP Library structure

All SAP System data must be protected from unauthorized access, so that only those users who have explicit permission can access it.

You assign authorization in the user master maintenance. It must be possible to specify explicitly to which data the user has access and what kind of access is possible. For example, it is possible that a user has the authority to display the data for all airlines, but only has the authority to change the data for some of them. Accordingly, at each authorization check the combination of 'action' and 'airline' must be checked. When you create the authorization, in the user master record, the default settings for the operands must be set (for example, action 'change' and airline 'LH' or action 'display' and airline '*'.).'

In the SAP System these tasks are carried out by authorization objects. The operands whose combinations must be checked in authorization objects are called fields. An authorization object can contain up to 10 fields. For the above example the authorization object is made up of  the two fields 'action' and 'airline'. An authorization object is addressed during the assignment of authorization in the context of user maintenance as well as during authorization checks. Abbreviations for actions can be found in tables TACT and TACTZ, as well as in the documentation for the corresponding objects.

An authorization object defines the combination of fields which must be simultaneously addressed and acts as a template for the authorization as well as for the authorization check. In order to make the management and location of the authorization objects easier, they are organized into object classes, to which one or more classes of application are allocated.

In the ABAP Development Workbench you can find the maintenance transactions for authorization objects by choosing Development More Tools Authorization Objects. You will also find a complete list of all the objects with the relevant fields and documents, organized by class, here.

For more information about the authorization concept, refer to the Structure linkUsers and Rolesdocumentation.


This authorization object S_CARRID contains two fields. Generic values can be entered in the first field, CARRID (Airline). In the second field, ACTVT (Action), numbers for create (01), change (02) and display (03) can be entered.

This graphic is explained in the accompanying text

In the user master record values can be assigned to each of the fields in the authorization object S_CARRID for every user. The individual application must check when it is executed whether the user has the necessary authorization.







Leaving content frame