SAP权限对象的创建与使用

在SAP的权限管理范畴，authority object是一个极其重要的东西，要明白SAP如何实现权限控制的，必须理解authority object

简单来说，对于SAP的标准程序(一般都是由tcode控制)，当用户运行该标准程序，程序首先会验证当前用户是否有运行当前tcode的权限，也就是用SU01察看当前用户是否有那么一个角色包含了s_tcode权限对象(当然该对象中tcode field列表里面要有当前程序的tcode)。 如果这关通过了，那么标准程序的首界面就打开了，除此之外在标准程序里面还有许多的权限检查，比如检查当前用户是否有修改界面值得权限。

下面演示一下我们如何创建权限对象，并且如何在自定义程序中使用。（转自于：http://www.richardsantos.net/2009/03/16/sap-how-to-create-and-use-the-authorization-objects-in-abap/ ， 再次转载请注明出处）

 

Figure 1

Steps to create authorization field
1. Go to transaction code SU20
2. Click the create new button on the application toolbar.
3. Enter “ZTCODE” in the Field Name and “TCODE” in the Data Element, then hit Enter.
4. Click the save button on the system toolbar.

Next step is to create the authorization class(see #1 in figure 1) and authorization object(see #2 in figure 1).

Steps to create authorization class
1. Go to transaction code SU21
2. Click on the Create button’s drop down icon and select “Object Class”.
3. Enter “ZTRN” on the Object Class field.
4. Give it a description and save it.

Steps to create authorization object
1. Again in SU21, in the list of authorization class(folder icon), click the one that we’ve created(ZTRN).
2. Click on the Create buttodrop down, this time selecting “Authorization Object”.
3. Enter “Z_TCODE” on the Object field and give it a description.
4. On the authorization fields section, enter ACTVT and ZTCODE. ACTVT is used to set and limit the activity of the user, while the ZTCODE is the authorization field that we’ve created earlier which is
responsible for holding a list of tcodes.
5. On the Further Authorization Object Settings, click on “Permitted activities” button. Here we will select the specific activities that we want to be available for our authorization object.
6. As an example, we will select 01(Create), 02(Change), and 03(Display).
7. Save and Exit.

Now we’re done creating our own authorization object, let us now use and assign it to a user.

Steps to create a role(see figure 2)
1. Go to transaction code PFCG.
2. Enter “ZAUTHTEST” on Role field and click the “Single Role” button.
3. Now give it a description, click the save button and click the Authorization tab.
4. Click the “Change Authorization Data” button inside the authorization tab.
5. Then click the “Manually” button on the application toolbar and type in the name of the authorization object that we’ve created earlier(”Z_TCODE”) and press enter.
6. Expand all the nodes, double click on the input field of the Activity and select activity 01 and 02.
7. Enter the tcode of our own abap program in ZTCODE field, in our example I used “ZCOMM” .
8. And also don’t forget to add the S_TCODE authorization object and enter ZCOMM on it’s field.
9. Now Click on the Generate button in the application toolbar and press enter on the pop-up screen.
10. press the back button and assign a specific user on the user tab and click User Comparison button.
11. Now create another role by repeating steps 1 to 9 but this time select activity 03 on step 6.
12. Then assign this 2nd role to another user.

Figure 2

Now let’s implement this authorization in our ABAP program. Let say we have a dialog program(ZCOMM) wherein we have a button on the screen that when clicked, the user will go to the Create/Edit screen(1000) if he’s authorized. On the other hand, he will go to display only screen(2000) if he’s not authorized. To do that, simply add the code below on your program.

  AUTHORITY-CHECK OBJECT ‘Z_TCODE’    “authorization object that we’ve created
      ID ‘ACTVT’ FIELD ‘01′                        “Activity = 01, authorized to create
      ID ‘ZTCODE’ FIELD ‘ZCOMM’.            “tcodes that we wants to check for authorization
  IF sy-subrc EQ 0.
      CALL SCREEN 1000.        “The user is authorized to create
  ELSE.
      CALL SCREEN 2000.        “User is not authorized to create (Display only)
  ENDIF.