Skip to Content

Many cases have been raised from customers in relation to authorization
problems. Hence it is quite necessary and helpful to have an idea on what is authorization
and how to use it appropriately. In this blog, I would like to talk something
about authorization based on my own understanding using specific examples of
CO-OM.

What is authorization?

Authorization is aimed to decide whether a user has the
rights to create/change/display data via a certain transaction, or whether a
user can get accessed to the data on one or several specific account assigned
objects (Cost center, Order, WBS etc.). It is controlled by Authorization Objects
(AO).

You can view all the AOs that are possibly being checked when
running a certain transaction via SU24.

Capture1.PNG

Capture2.PNG

You can also make a trace via ST01 to see which AOs are exactly being checked when running KSB1 at a certain time.

ST01->Authorization check->Trace on

Capture3.PNG

KSB1

Capture4.PNG

Execute(F8)

Capture5.PNG

Back to ST01->Trace off->Analysis(F2)->Start reporting(F8)

Capture6.PNG

Double click the Object you want to check and then press Go to ABAP Position (F5), you will get the source code of this object.

Capture7.PNG

Comparing the different outcome between SU24 and ST01 may bring you closer to the root cause of the problems in some cases.

How Authorization works?

Authorizations are assigned to a specific role. Create a role via transaction PFCG.

Capture8.PNG

Capture9.PNG

Display Authorization Data and you will get all the authorization information for role Z_CCA_ERIC0.

Capture10.png

Go to SU01

Capture11.PNG

Assign role Z_CCA_ERIC0 to user I307133 and user will have all the authorizations included in role Z_CCA_ERIC0.

How to use Authorizations?

Scenario:

User is not allowed to create/change cost centers, but is allowed to
display them.

  1. Create role Z_CCA_ERIC4
  2. Go to PFCG->change
    role->authorizations-> Change Authorization Data
  3. Change “All activities” to “Display” only

Capture12.PNG

Capture13.PNG

Generate.

    4. Go to SU01, assign Z_CCA_ERIC4 to user I307133

  Capture14.PNG

Save.

Now let’s see whether it works or not.

Go to KS03 to display cost center 1000181

Capture15.PNG

Capture16.PNG

Then Go to KS02 to change cost center 1000181.

Capture17.PNG

System displays no authorization error.

Go to SU53

Capture18.PNG

Now you can see from the screen above that the authorization we set has prevented user from changing cost center 1000181. System works as we
expected.

To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

Leave a Reply