Module 28: Authorization Concepts
Authorization ensures that users can only see and perform what they are allowed to.
In SAP, authorization is enforced at multiple layers: ABAP code, CDS views, and UI.
1. Authorization Objects
What is an Authorization Object?
An authorization object:
- Groups up to 10 authorization fields
- Is checked at runtime
- Is assigned via roles
Example:
- Object:
Z_SALES_AUTH - Fields:
ACTVT,VKORG
Authorization objects define what is allowed, roles define who gets it.
Authorization Object Structure
Authorization Object
├─ Field 1 (e.g. ACTVT)
├─ Field 2 (e.g. VKORG)
└─ ...
2. SU24 (Authorization Proposal)
What is SU24?
SU24 is used to:
-
Maintain authorization proposals
-
Link authorization objects to transactions
-
Simplify role maintenance
SU24 ensures consistent and minimal role assignments.
SU24 Flow
Transaction → SU24 → Authorization Objects → PFCG Role
Always maintain SU24 proposals for custom transactions.
3. Authority Checks in ABAP
3.1 AUTHORITY-CHECK Statement
Classic ABAP authorization check:
AUTHORITY-CHECK OBJECT 'Z_SALES_AUTH'
ID 'ACTVT' FIELD '03'
ID 'VKORG' FIELD lv_vkorg.
IF sy-subrc <> 0.
MESSAGE 'No authorization' TYPE 'E'.
ENDIF.
Never rely on UI-only authorization. Always check authorizations in backend logic.
3.2 Where to Place AUTHORITY-CHECK
Best locations:
-
Before sensitive operations
-
Before database updates
-
In service / domain layer
Encapsulate authorization checks in dedicated classes.
4. CDS-Based Authorization (Modern & Recommended)
4.1 CDS Authorization Concept
CDS supports data-level authorization using:
-
Annotations
-
DCL (Data Control Language)
@AccessControl.authorizationCheck: #CHECK
define view Z_CDS_Sales
as select from zsales
{
company,
amount
}
4.2 DCL (Data Control Language)
DCL defines row-level access rules.
define role Z_SALES_ROLE {
grant select on Z_CDS_Sales
where company = aspect pfcg_auth(
'Z_COMP_AUTH', 'BUKRS'
);
}
Authorization is enforced automatically and consistently.
5. CDS Authorization vs ABAP AUTHORITY-CHECK
| Aspect | AUTHORITY-CHECK | CDS Authorization |
|---|---|---|
| Level | Code | Data |
| Enforcement | Manual | Automatic |
| Granularity | Operation | Row-level |
| RAP/Fiori | Manual | Native |
| Risk of Miss | High | Low |
Use CDS-based authorization wherever possible.
6. Authorization in RAP
In RAP:
-
CDS authorization is mandatory
-
Behavior definitions rely on CDS security
-
Actions are automatically secured
If CDS authorization is missing, RAP services may expose unrestricted data.
7. Common Authorization Mistakes
-
Hard-coded authorization values
-
Missing backend checks
-
Over-authorizing roles
-
Ignoring SU24
-
Skipping CDS authorization
8. Interview-Grade Explanation
Q: How do you implement authorization in modern ABAP?
Answer:
I use CDS-based authorization for data access, maintain SU24 proposals for transactions, and implement explicit AUTHORITY-CHECKs for sensitive business operations that cannot be expressed at data level.
Shows modern + practical security understanding.
9. Summary
-
Authorization objects define access rules
-
SU24 manages authorization proposals
-
AUTHORITY-CHECK enforces backend security
-
CDS-based authorization is modern standard
-
RAP relies heavily on CDS authorization
10. Practice Exercises
-
Create a custom authorization object.
-
Maintain SU24 proposal for a transaction.
-
Implement AUTHORITY-CHECK in ABAP.
-
Secure a CDS view using DCL.
-
Test authorization behavior with different roles.
11. What’s Next?
➡️ Module 29: Transport & Quality Management
Security mistakes are production-critical—authorization must be designed, not added later.