SAP programs utilize authorization checks to protect business data and functions against unauthorized access. In order to pass an authorization check of this type, a user needs the appropriate authorization. It should be determined who may execute a function or access an object with specific values. As it is known, authorizations are used to control access at the application level. They are assigned in Activity Groups (up to Release 4.6B) or Roles (e.g. Release 4.6C), which are entered in the user master record.
It's important that users can process only those tasks that they're authorized to perform, and are prevented from making unintentional or incorrect changes in system areas which are outside their competence.
The smallest unit against which the check should be run is the authorization field.
The ABAP command AUTHORITY-CHECK is used for performing authorizaton checks in programs. Before accessing the database the user should carry out an authorization check which is implemented in the ABAP program. The AUTHORITY-CHECK statement first checks if the user has the authorization containing all the required values. Then the code value in the system field SY-SUBRC is checked. If the required value is available for each authorization field, the check is successful (SY-SUBRC = 0). If the value is not 0, then the check is unsuccessful, which means that the user does not possess the required authorization and an error message will be displayed. AUTHORITY-CHECK sets SY-SUBRC to 4, 8, 12, 16, 24, 28, 32 or 36 depending on the cause of the authorization failure, e.g. return code 4 means that the user does not have the required authorization; SY-SUBRC = 8 means that the check could not successfully be carried out since not all fields of the object were specified. The field SUBRC is in the APAB Dictionary SYST. To address the system field in an ABAP program, the form SY-<fieldname> is used.
The ABAP syntax of the AUTHORITY-CHECK statement is:
AUTHORITY-CHECK OBJECT '<object>'
ID '<name1>' FIELD <f1>
ID '<name10>' FIELD <f10>.
Where <object> is the name of the authorization object that has to be checked, <name1>,..., <name10> are the authorization fields in the object, and <f1>,... ,<f10> are the values for which the authorization is to be checked. If after the field name is entered DUMMY, the check for a particular field will not be carried out.
Note: Keywords and options of statements are uppercase. Each statement ends with a period.