SAP Authorization Checks Concept

SAP Authorization Checks : When a user starts a transaction, the system performs the following Authorization checks:

The system checks in table TSTC whether the transaction code is valid and whether the system administrator has locked the transaction.  The system then checks whether the user has authorization to start the transaction. The SAP system performs the authorization checks every time a user starts a transaction from the menu or by entering a command. Indirectly called transactions are not included in this authorization check. For more complex transactions, which call other transactions, there are additional authorization checks. 

The authorization object S_TCODE (transaction start) contains the field TCD (transaction code). The user must have an authorization with a value for the selected transaction code. 

If an additional authorization is entered using transaction SE93 for the transaction to be started, the user also requires the suitable defined authorization object (TSTA, tableTSTCA). 

If you create a transaction in transaction SE93, you can assign an additional authorization to this transaction. This is useful, if you want to be able to protect a transaction with a separate authorization. If this is not the case, you should consider using other methods to protect the transaction (such as AUTHORITY-CHECK at program level). 

SAP Authorization Checks

The system checks whether the transaction code is assigned an authorization object. If so, a check is made that the user has authorization for this authorization object.

The check is not performed in the following cases: 

You have deactivated the check of the authorization objects for the transaction (with transaction SU24) using check indicators, that is, you have removed an authorization object entered using transaction SE93. You cannot deactivate the check for objects from the SAPNetWeaver and HR areas. 

To Display authorization Object,

This can be useful, as a large number of authorization objects are often checked when transactions are executed, since the transaction calls other work areas in the background. In order for these checks to be executed successfully, the user in question must have the appropriate authorizations. This results in some users having more authorization than they strictly need. It also leads to an increased maintenance workload. You can therefore deactivate authorization checks of this type in a targeted manner using transaction SU24.

You have globally deactivated authorization objects for all transactions with transactionSU24 or transaction SU25. 

So that the entries that you have made with transactions SU24 and SU25 become effective, you must set the profile parameter AUTH/NO_CHECK_IN_SOME_CASES to “Y” (using transaction RZ10). 

All of the above checks must be successful so that the user can start the transaction. Otherwise, the transaction is not called and the system displays an appropriate message. 

Checking Assignment of Authorization Groups to Tables 

You can also assign authorization groups to tables to avoid users accessing tables using general access tools (such as transaction SE16). A user requires not only authorization to execute the tool, but must also have authorization to be permitted to access tables with the relevant group assignments. For this case, we deliver tables with predefined assignments to authorization groups. The assignments are defined in table TDDAT; the checked authorization object is S_TABU_DIS.      


Also See: How to extend a material to new storage location – SAP MM

Online Training Tutorials

  • sap system monitoringSAP System Monitoring an OverviewSAP System Monitoring: We can imagine if you have a job to monitor the whole SAP system and also non SAP system? Okay, let’s say that you only have 3 system landscapes that would be very […]
  • System MonitoringSAP System Monitoring Transaction CodesSystem Monitoring The Following are the transaction codes SM12:  This Traction is used for Check for Lock Entries. There may be old locks still in place from transactions that did not […]
  • Upload Transactional Data Into SAP SystemHow to Upload Transactional Data Into SAP SystemHow to Upload Transactional Data Into SAP System A) Pre – Go Live activities 1. Master data Load into Production system Ensure all the master data is loaded into the production […]
  • number assignmentDocument Number Assignment in SAP SystemIn the SAP System, every document is assigned a number that identifies it uniquely within a fiscal year and company code. There are two types of number assignment: External (by the […]
  • System Copy in SAP Business IntelligenceHow to System Copy in SAP Business Intelligence (BI SYSTEM) System Landscapes?The below post explain how the System Copy in SAP Business Intelligence System Landscapes in detail. Take the backup f the production system (Source) Pre-Steps on the target system […]
  • ASAP Methodology ImplementationASAP Methodology Implementation StepsThe SAP ASAP Methodology (Accelerated SAP) provides the roadmap for optimizing and continuous implementation of SAP systems in the real time business processes. The ASAP roadmap brings in […]
  • SAP BASIS Transaction CodesHR Human Resource Transaction CodesSAP HR Transaction Codes SAP HR (Human Resource) module enables each company to effectively manage the employee information in their organization. SAP HR is integrated with other SAP […]
  • Types of Master data in sap mmWhat are the different Types of Master data in SAP MM?The Master data in SAP is used to be base data that can store all the required inform about the transaction. If someone producing, transferring stock, selling, purchasing, doing physical […]