To create the authorization object, choose the SU21 transaction.
First double-click an object class to select it, for example
HR
(
Human Resources
).
Then choose
Create
on the following screen (F5). To be able to use the new authorization object you have created in the master data authorization check, the object must contain the following fields:
INFTY: Infotype
SUBTY: Subtype
AUTHC: Authorization Level
If you want to use the authorization object for the
context authorization check
, it must also contain the
PROFL
field, which defines the structural profiles a user is authorized to access.
You can use any of the fields in the
Organizational Assignment
infotype (0001) or in the PA0001 structure for the rest of the fields. You can also use customer-specific additional fields provided they are CHAR or NUMC type fields.
In addition, you can use the following fields:
TCD: This field is always filled with the current transaction code (
SY-TCODE
). Note that when you use this authorization object in reports, the TCD field is filled with the name of the transaction that calls the report and not with the report name.
INFSU: This field is 8 characters long. The first 4 characters contain the infotype, the last 4 characters the subtype.
After you have created the authorization object, start the
RPUACG00
report. This report overwrites the MPPAUTZZ standard include with the code that is needed to evaluate the authorization object you created. Note: Technically speaking, this involves a modification. However, SAP fully supports this procedure. And you should not have more maintenance work as a result of this modification. To ensure that the report actually writes the program code, deselect the
Test
field. Enter your user as the password.
Activate your checks by switching the appropriate authorization main switch, NNNNN or NNCON to 1 .
See also:
P_NNNNN (HR: Master Data: Customer-Specific Authorization Object)
P_NNNNNCON (HR Master Data: Customer-Specific Authorization Object with Context)