AUTHORITY-CHECK

Syntax

AUTHORITY-CHECK OBJECT auth_obj [FOR USER user]
                        ID id1 {FIELD val1}|DUMMY
                       [ID id2 {FIELD val2}|DUMMY]
                        ...
                       [ID id10 {FIELD val10}|DUMMY].

Addition:

... FOR USER user

Effect

This statement checks whether authorization is entered in the user master record of the current user or the user specified in user for the authorization object entered in the field auth_obj, and whether this authorization is sufficient for the request specified in the statement. A flat character-type field that contains the name of an authorization object is expected for auth_obj. Without the addition FOR USER, the authorization of the current user is checked.

With id1 ... id10, you must have at least one and can have a maximum of 10 authorization fields listed for the authorization object specified. With id1 ... id10, "flat", character-type fields are expected that contain the name of the authorization fields in uppercase letters. If an authorization field is specified that does not appear in the authorization object, no check can be executed and sy-subrc is set to 4. For each specified authorization field, you must specify with FIELD either a value to be checked in a flat, character-type field val1 ... val10 or the addition DUMMY.

The authority check is carried out if the check indicator for the specified authorization object for the current context is set to check with any proposal status. If the check indicator is set to no check, no authority check is carried out and sy-subrc is set to 0, as with a successful check.

The authorization check is successful if one or several authorizations are created for the authorization object in the user master record and if - for at least one of the authorizations - each of the value sets defined there for the authorization fields specified using FIELD includes the value val1 ... val10 to be checked. Authorization fields that are not included in the statement or that have DUMMY specified for them are not checked. If the check is successful, sy-subrc is set to 0. Otherwise, it is set to a value not equal to 0 (see below).

System Fields

sy-subrc	Meaning
0	Authorization successful or no check was carried out. An authorization for the authorization object was found in the user master record. It's value sets include the specified values.
4	Authorization check not successful. One or several authorizations were indeed found for the authorization object in the user master record and they include the value sets, but not the values specified, or incorrect or too many authorization fields were specified.
12	No authorization was found for the authorization object in the user master record.
24	Incorrect authorization fields or an incorrect number of authorization fields was found. This return value is no longer set since Release 6.20. Up to Release 4.6 it is set only if the profile parameter "auth/new_buffering" has a value less than 3.
40	An invalid user ID has been entered in user.

Notes

The authorization fields of an authorization object are fields for data and a field with the name ACTVT for activities. Activities are represented by abbreviations with two characters that are defined in the ACTVT column of the database table TACT or have a customer-specific definition in TACTZ. Possible activities are assigned to the authorization field ACTVT in the authorization object. In the user master record, you have authorizations for data and activities in the form of operands for logical expressions stored as value sets. Here, masking characters can be used for generic authorizations.

When checking the authorization of the current user without the addition FOR USER, the content of the system field sy-uname is not evaluated, but the actual user name is used instead.
The most important contexts for which check indicators can be set are transactions. The execution of a statement AUTHORITY-CHECK can have different results depending on how the current program flow was started. In general, a check indicator should always been set to check.
For authorization objects of the areas SAP NW AS ABAP (BC) and human resources management (HR), a check indicator cannot be set to no check.

Addition

... FOR USER user

Example

Check as to whether the current user has the authorization required for displaying the airline that he specifies on the selection screen. The used authorization object is called S_CARRID and includes the authorization fields CARRID for the name of an airline and ACTVT for the activity. The abbreviation "03" stands for the "Display" activity and is one of the activities that are assigned to the authorization object S_CARRID.

PARAMETERS carr TYPE spfli-carrid.

AT SELECTION-SCREEN.
  AUTHORITY-CHECK OBJECT 'S_CARRID'
    ID 'CARRID' FIELD carr
    ID 'ACTVT'  FIELD '03'.

  IF sy-subrc <> 0.
    MESSAGE 'No authorization' TYPE 'E'.
  ENDIF.