In this post I am going to show you the exact steps used in order to create a new authorization object in any SAP system such as SAP ECC & SAP CRM.
In certain contexts, you may need several authorizations to perform an operation in the SAP system. The resulting contexts can be very complex. The SAP authorization concept has been realized on the basis of authorization objects to provide an understandable and easy-to-follow procedure. Several system elements that are to be protected form an authorization object.
Authorization objects enable complex checks of an authorization that allows a user to carry out an action. An authorization object groups up to ten authorization fields that are checked in an AND relationship.
For an authorization check to be successful, all field values of the authorization object must be maintained in the user master data.
Authorization objects are assigned to object classes for purposes of clarity. The authorization objects for mySAP CRM belong to the CRM (Customer Relationship Management) object class.
You can display or edit the authorization objects and their fields using transaction SU21. You can also use this transaction to create new object classes and authorization objects.
The authorization objects of the CRM (CRM Component) object class have, as with all SAP authorization objects, up to ten fields, which are read by the system during an authorization, check.
Example: CRM_ORD_PR (Authorization Object CRM Order - Business Transaction Type)
As you can see in the above screenshot, this particular authorization object consists out of two Authorization fields, being PR_TYPE (process type – or Transaction type) and ACTVT (allowed activity).
1. Creating a new SAP Authorization Object
In order to create an authorization object, launch the transaction code SU21.
Within this transaction code you can actually create two important things.
- Create a new authorization object class
- Create a new authorization object
What you see in the above screenshot (the folders) are actually the authorization object classes available within a SAP CRM 7.0 system.
Now to keep it simple we will create a new authorization object in the existing authorization object class CRM.
In order to create a new authorization object within that particular class, I select the class, and next do a right-mouse click, which shows me the following menu:
Alternatively you can select the relevant authorization class, and from the menu select the option to create the new authorization object:
I prefer the first option.
In the pop-up that showed up I entered:
- a name for my new authorization object: Z_BW_LIST
- a useful description for my object
- the relevant authorization field(s) - I only used an existing authorization field for this purpose, called ACTVT (allowed activity)
Next I pressed the button ‘permitted activities”. By doing this, the system will first ask you to select a relevant package. Select an appropriate package and save.
In the list of available activities for the authorization field ACTVT I only selected change and display, as this is what I want to be checked for my scenario.
You will also need a Workbench-request to save your new authorization object in. I selected an existing WB-request for this purpose.
Once done, it will look like this.
I also suggest you maintain some documentation for any new authorization object you create. You can do this using the button “Create Object documentation”. Here you should probably explain for which program, transaction code or BSP application (component/view) you use this authorization object. Furthermore explain how the object is being checked and what it will allow a user to perform once he gets this authorization.
A last (logical) step would be to regenerate the SAP_ALL Profile - just so that SAP_ALL really stays a SAP_ALL profile.
Some comments to be added from the real experts on SAP authorizations (thanks to some sapfans authorization & abap gurus such as thx4allthefish; Rich and Vlozano )...
- This approach does not work for SAP BI
- There are for sure additional steps that are not mentioned or explained in this particular post such as:
- updating SU24/SU22 to ensure all USOB* tables are correct up-to-date
- having a new authorization object is one thing, but you'll also need to assure it is being checked in your abap coding
The SAP University Team