In general, the access to particular table is controlled by authorization object S_TABU_DIS which has fields for activity (ACTVT) and Authorization group (DICBERCLS). In this case, it is understood that the table is assigned to specific authorization group and the name of authorization group containing the respective table has be maintained in S_TABU_DIS.
However, this situation has some limits:
- There are large numbers of table which are not assigned to any authorization groups, these are included under authorization group &NC& but assignment of tables to this authorization group is not much useful while securing access to any particular table.
- The authorization group name can have up to 4 characters hence there is a limit to define the authorization group.
- If we need to give access to only one table belonging to some authorization group; say XYZ then it involves an additional efforts.
To overcome these limitations, we can use the authorization object S_TABU_NAM. This authorization object contains two fields as below:
- Activity (ACTVT) – Display or change access similar to ACTVT in S_TABU_DIS
- Table Name (TABNAME) – Name of table of view
With this object, the system checks the view names or table names directly so that an exact authorization check is possible. Also, this table is checked only if the authorization check on S_TABU_DIS is unsuccessful. In this way, this provision enables both features providing more flexibility.
The authorization object S_TABU_NAM is provided in recent versions of SAP Systems, a relevant note/correction instructions need to be applied to system with lower versions. At program level, the authorization check on S_TABU_NAM is implemented only in the module VIEW_AUTHORITY_CHECK.
Leave a Reply