How to Create a Custom Authorization Object?

Not always, but quite often—paradoxically—a functional consultant may face the task of creating a custom authorization object. When might this be useful? For example, when launching an ABAP report that should only be accessible to users from a specific “whitelist.” And no, it doesn’t matter whether the user has the SAP_ALL profile or not. In this note, I’ll share some information on how to create your own authorization object and how to work with it.

Using transaction SU21, create a new authorization class and a new authorization object. The new object is now created. Let’s look at how it can be used further.

When creating a custom transaction, you have the option to explicitly define an authorization object and its required values. A user will only be able to execute the transaction if these values are met. The video segment below shows the step-by-step process of creating a new transaction and assigning a custom authorization object to it. This is all done using transaction SE93.

I then execute the created transaction (under a user with the SAP_ALL profile).

As with any authorization object, the new one must be included in a role. This role, in turn, must be assigned to a user. The following video demonstrates how to create a new role and include the new authorization object. All steps are done in transaction PFCG.

Note: If you added any reference description when creating the authorization object (see step #1), it will be visible in PFCG by pressing F1.

Assign the role to a user and try executing the custom transaction again.

You can also check whether a user has a specific authorization object directly in an ABAP program using the AUTHORITY-CHECK statement.

See AUTHORITY-CHECK

For example:

REPORT zdemo1.

SELECTION-SCREEN BEGIN OF BLOCK b1 WITH FRAME TITLE text-b01.
PARAMETERS p_start TYPE char1 MODIF ID sc1.
SELECTION-SCREEN END OF BLOCK b1.

AT SELECTION-SCREEN.
  IF p_start EQ 'X'.
    AUTHORITY-CHECK OBJECT 'ZDEMO' ID 'ACTVT' FIELD '16'.
    IF sy-subrc <> 0.
      MESSAGE e005(zhr) WITH sy-uname.
      * User &1 doesn't have authorization to run this report!
    ENDIF.
    MESSAGE i006(zhr) WITH sy-uname.
    * User &1 is authorized :)
  ENDIF.

I run the program under a user who doesn’t have the required authorization object.

Then I assign the previously created role to this user and execute the program again.

To include the new authorization object in the SAP_ALL profile, open transaction SU21 and click the Regenerate SAP ALL button.

You can confirm that the profile now includes the new object via transaction SUIM.

After adding the object to the SAP_ALL profile, there is no longer a need to assign a separate role containing this object to users who already have SAP_ALL.