Subject Area: SAP-ABAP (Security & Access Control)
In any enterprise system like SAP, data security and controlled access are essential to prevent unauthorized actions, data leakage, or fraud — what might be termed "crimes" in SAP if exploited maliciously. ABAP developers and security administrators play a critical role in designing and enforcing access control using authorization objects and profiles.
This article explains how authorization works in SAP, how to use authorization objects and profiles effectively, and how to avoid common pitfalls that can lead to security breaches.
An authorization object in SAP is a logical grouping of fields that control access to specific data or actions. Each object represents a permission requirement for executing a function — such as viewing financial records, changing master data, or running specific transactions.
The object S_TCODE controls access to transactions.
The object F_BKPF_BUK controls access to accounting documents by company code.
Each object can have one or more authorization fields, which define the scope (e.g., company code, activity type).
An authorization profile is a collection of authorization objects. These profiles are assigned to roles, which are in turn assigned to user accounts. In newer SAP systems (post-4.6C), profiles are usually generated automatically by roles created in PFCG (Profile Generator).
ABAP developers often create custom transactions, reports, or interfaces that access sensitive data. Without properly integrated authorization checks, these custom programs can become security vulnerabilities, allowing users to perform actions outside their intended scope — a major compliance and risk issue.
AUTHORITY-CHECK StatementThis ABAP statement is used to verify whether the current user has the required authorization.
AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
ID 'BUKRS' FIELD lv_bukrs
ID 'ACTVT' FIELD '03'.
SY-SUBRCIF sy-subrc <> 0.
MESSAGE 'You are not authorized to display this data' TYPE 'E'.
ENDIF.
Encapsulate authorization logic in a reusable form or class to improve consistency and auditability.
Missing Authorization Checks
Failing to include AUTHORITY-CHECK in custom programs is one of the most common security oversights.
Hardcoding Values
Avoid hardcoding BUKRS, WERKS, or activity types. Always use dynamic fields or parameters to allow flexibility.
Over-Authorization
Assigning broad profiles like SAP_ALL in production is dangerous and can lead to misuse or data theft.
Lack of Logging
Programs that change data should include logging or use change documents for traceability.
Inadequate Role Testing
Always test custom roles and profiles in a QA environment to ensure principle of least privilege is upheld.
Authorization objects and profiles form the backbone of SAP’s security model. As ABAP developers, understanding how to properly implement and check authorizations is not just about good coding practices — it's about protecting the integrity of the business and avoiding serious security violations.
Neglecting these principles can open the door to abuse or inadvertent "SAP crimes." But by integrating robust authorization checks, collaborating with security teams, and leveraging tools like PFCG and SU24, you can build secure and compliant ABAP applications that support both business agility and governance.