Create and Use the Authorization Objects in ABAP Authorization Check Authorization Objects are used to manipulate the current user’s privileges for specific data selection and activities from within a program. http://help.sap.com/saphelp_bw33/helpdata/en/52/67167f439b11d1896f0000e8322d00/frameset.htm http://www.richardsantos.net/2009/03/16/sap-how-to-create-and-use-the-authorization-objects-in-abap/
Authorization Checks in ABAP Programs
Authorization Objects and Authorizations
Authorization - Check
Implementing Authorization Checks in Programs
Authorization Check (1) create authorization fields (2) create authorization class (3) create authorization object (4) create a role (5) authorization in ABAP program
(1) create authorization fields Go to transaction code SU20 Click the create new button on the application toolbar. Enter “ZTCODE” in the Field Name and “TCODE” in the Data Element, then hit Enter. Click the save button on the system toolbar.
SU20 (建立權限檢查欄位) 按 [New authorization field]
輸入field與data element再按Save按鈕
可往下找到剛建立之authorization field
(2) create authorization class Go to transaction code SU21 Click on the Create button’s drop down icon and select “Object Class”. Enter “ZTRN” on the Object Class field. Give it a description and save it.
SU21 (建立權限分類) 按Create按鈕,選Object Class
輸入類別名稱(最多4碼)及描述 再按Save按鈕
可往下找到剛建立之 authorization object class
(3) create authorization object Again in SU21, in the list of authorization class(folder icon), click the one that we’ve created(ZTRN). Click on the Create buttodrop down, this time selecting “Authorization Object”. Enter “Z_TCODE” on the Object field and give it a description. On the authorization fields section, enter ACTVT and ZTCODE. ACTVT is used to set and limit the activity of the user, while the ZTCODE is the authorization field that we’ve created earlier which is responsible for holding a list of tcodes.
點選剛建立之authorization object class,按滑鼠右鍵,選擇create authorization object以建立權限物件
輸入權限物件之相關資料以及權限 檢查欄位,按Save按鈕,再按離開
create authorization object On the Further Authorization Object Settings, click on “Permitted activities” button. Here we will select the specific activities that we want to be available for our authorization object. As an example, we will select 01(Create), 02(Change), and 03(Display). Save and Exit.
找到剛建立之權限物件double click , 按display< >change按鈕,再按按鈕
按Permitted activities按鈕
勾選擬設定的activities,按save按鈕, 再按離開
(4) create a role Go to transaction code PFCG. Enter “ZAUTHTEST” on Role field and click the “Single Role” button. Now give it a description, click the save button and click the Authorization tab. Click the “Change Authorization Data” button inside the authorization tab. Then click the “Manually” button on the application toolbar and type in the name of the authorization object that we’ve created earlier(”Z_TCODE”) and press enter. Expand all the nodes, double click on the input field of the Activity and select activity 01 and 02.
create a role Enter the tcode of our own abap program in ZTCODE field, in our example I used “ZCOMM” . And also don’t forget to add the S_TCODE authorization object and enter ZCOMM on it’s field. Now Click on the Generate button in the application toolbar and press enter on the pop-up screen. press the back button and assign a specific user on the user tab and click User Comparison button. Now create another role by repeating steps 1 to 9 but this time select activity 03 on step 6. Then assign this 2nd role to another user.
PFCG,輸入Role名稱, 再按Single Role按鈕以建立角色
輸入Role之描述,按save按鈕, 再選擇Authorizations標籤
按Change Authorization Data按鈕
先按Do not select templates按鈕, 再按Manually按鈕
輸入Authorization Object名稱, 再按按鈕
展開後,雙按Activity,設定允許的Activity活動,再按save按鈕
雙按表演團體的data element,設定 允許的團隊編號,再按save按鈕
按save按鈕,再按按鈕以產生Profile
按save按鈕,再按Generate按鈕
Authorizations變綠燈,再選User標籤
輸入欲授權的user ID,再按save按鈕, 此時User標籤仍為黃燈
務必要按user Comparison以重新調整user的權限,新對話視窗按Complete comparison
User標籤變為綠燈,按save按鈕存檔
(5) authorization in ABAP program AUTHORITY-CHECK OBJECT ‘Z_TCODE’ “authorization object that we’ve created ID ‘ACTVT’ FIELD ‘01’ “Activity = 01, authorized to create ID ‘ZTCODE’ FIELD ‘ZCOMM. “tcodes that we wants to check for authorization IF sy-subrc EQ 0. CALL SCREEN 1000. “The user is authorized to create ELSE. CALL SCREEN 2000. “User is not authorized to create (Display only) ENDIF.
SE80編輯程式,按Pattern按鈕,再於Authority Check欄位輸入權限物件名稱
於程式中,輸入權限檢查條件(Field值)
撰寫完整程式
查詢有權限的表演團體之結果
查詢無權限的表演團體之結果