Skip to Content
Author's profile photo Former Member
Former Member
August 24, 2016 3 minute read

What is Authorization and How to use Authorization properly

Many cases have been raised from customers in relation to authorization
problems. Hence it is quite necessary and helpful to have an idea on what is authorization
and how to use it appropriately. In this blog, I would like to talk something
about authorization based on my own understanding using specific examples of
CO-OM.

What is authorization?

Authorization is aimed to decide whether a user has the
rights to create/change/display data via a certain transaction, or whether a
user can get accessed to the data on one or several specific account assigned
objects (Cost center, Order, WBS etc.). It is controlled by Authorization Objects
(AO).

You can view all the AOs that are possibly being checked when
running a certain transaction via SU24.

Capture1.PNG

Capture2.PNG

You can also make a trace via ST01 to see which AOs are exactly being checked when running KSB1 at a certain time.

ST01->Authorization check->Trace on

Capture3.PNG

KSB1

Capture4.PNG

Execute(F8)

Capture5.PNG

Back to ST01->Trace off->Analysis(F2)->Start reporting(F8)

Capture6.PNG

Double click the Object you want to check and then press Go to ABAP Position (F5), you will get the source code of this object.

Capture7.PNG

Comparing the different outcome between SU24 and ST01 may bring you closer to the root cause of the problems in some cases.

How Authorization works?

Authorizations are assigned to a specific role. Create a role via transaction PFCG.

Capture8.PNG

Capture9.PNG

Display Authorization Data and you will get all the authorization information for role Z_CCA_ERIC0.

Capture10.png

Go to SU01

Capture11.PNG

Assign role Z_CCA_ERIC0 to user I307133 and user will have all the authorizations included in role Z_CCA_ERIC0.

How to use Authorizations?

Scenario:

User is not allowed to create/change cost centers, but is allowed to
display them.

  1. Create role Z_CCA_ERIC4
  2. Go to PFCG->change
    role->authorizations-> Change Authorization Data
  3. Change “All activities” to “Display” only

Capture12.PNG

Capture13.PNG

Generate.

    4. Go to SU01, assign Z_CCA_ERIC4 to user I307133

  Capture14.PNG

Save.

Now let’s see whether it works or not.

Go to KS03 to display cost center 1000181

Capture15.PNG

Capture16.PNG

Then Go to KS02 to change cost center 1000181.

Capture17.PNG

System displays no authorization error.

Go to SU53

Capture18.PNG

Now you can see from the screen above that the authorization we set has prevented user from changing cost center 1000181. System works as we
expected.

Assigned Tags

      3 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Nice document Eric. thanks for sharing

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Sorry for the late response. Thanks! I'm glad it helps!

      Author's profile photo irala reddy
      irala reddy

      Good for New users.