Authorization groups
The access protection system must
ensure that only authorized individuals have access to the system and to
particular data. For achieving precise application security concerning
authorization and to protect confidential data against unauthorized access it is
very important to focus on the use of authorization groups.
The
authorization group allows extended authorization protection for particular
objects. The authorization groups are freely definable. They usually occur in
authorization objects together with an activity.
The table that contains all
authorization objects is TOBJ.
The table that contains all activities is
TACT.
The table that contains definition of all authorization groups is
TBRG.
TBRG -- Contains all authorization groups and gives information about
relation between authorization object and authorization group. The description
of the authorization groups is defined in table TBRGT.
The field name for
authorization group -- BRGRU -- is used to make additional restrictions on
authorizations /e.g. for document maintenance/. In authorization objects and
authorization checks, there are fields which are checked to verify user
authorizations. Customizing objects are combined in authorization groups, and
the authorization group is one of the two authorization fields, for example, in
authorization object S_TABU_DIS which is in the object class BC_A (Basis -
Administration). This object is for displaying or maintaining tables. It
controls access using the standard table maintenance tool (transaction SM31),
enhanced table maintenance (SM30) or the Data Browser (SE16), including access
in Customizing.
Authorization object S_TABU_DIS has the following fields:
DICBERCLS - Authorization group, maximum field length is four characters; and
ACTVT - Activity (02: Add, change or delete table entries, 03: Only display
table contents).
Generally, SAP standard tables are assigned to
authorization groups. These assignments can be changed. You can then assign
tables manually to a suitable authorization group. To do this, start Transaction
SM30 for maintenance view V_DDAT, and create an entry for each of these tables.
In V_DDAT is stored the assignment of Tables/Views to Authorization Groups.
V_DDAT is cross-client; therefore, it can be viewed and used in all
clients.
Note: If you don't make a selection, all tables maintained in
Customizing transactions are assigned to authorization groups
Sunday, July 27, 2014
5
ABAP Tips: Authorization groups
Authorization groups The access protection system must ensure that only authorized individuals have access to the system and to particular...
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment