What is Authorization and How to use Authorization properly
Many cases have been raised from customers in relation to authorization
problems. Hence it is quite necessary and helpful to have an idea on what is authorization
and how to use it appropriately. In this blog, I would like to talk something
about authorization based on my own understanding using specific examples of
What is authorization?
Authorization is aimed to decide whether a user has the
rights to create/change/display data via a certain transaction, or whether a
user can get accessed to the data on one or several specific account assigned
objects (Cost center, Order, WBS etc.). It is controlled by Authorization Objects
You can view all the AOs that are possibly being checked when
running a certain transaction via SU24.
You can also make a trace via ST01 to see which AOs are exactly being checked when running KSB1 at a certain time.
ST01->Authorization check->Trace on
Back to ST01->Trace off->Analysis(F2)->Start reporting(F8)
Double click the Object you want to check and then press Go to ABAP Position (F5), you will get the source code of this object.
Comparing the different outcome between SU24 and ST01 may bring you closer to the root cause of the problems in some cases.
How Authorization works?
Authorizations are assigned to a specific role. Create a role via transaction PFCG.
Display Authorization Data and you will get all the authorization information for role Z_CCA_ERIC0.
Go to SU01
Assign role Z_CCA_ERIC0 to user I307133 and user will have all the authorizations included in role Z_CCA_ERIC0.
How to use Authorizations?
User is not allowed to create/change cost centers, but is allowed to
- Create role Z_CCA_ERIC4
- Go to PFCG->change
role->authorizations-> Change Authorization Data
- Change “All activities” to “Display” only
4. Go to SU01, assign Z_CCA_ERIC4 to user I307133
Now let’s see whether it works or not.
Go to KS03 to display cost center 1000181
Then Go to KS02 to change cost center 1000181.
System displays no authorization error.
Go to SU53
Now you can see from the screen above that the authorization we set has prevented user from changing cost center 1000181. System works as we