ABAP Security Concepts

Database logical units of work (LUWs) and the bundling techniques used with an SAP LUW ensure that data is consistent at the end of a transaction.


Along with the lock objects used at the application level, SAP implicitly sets database locks when the Open SQL statements SELECT, INSERT, UPDATE, MODIFY, or DELETE are used. These lock concepts further ensure data consistency.


Data security is another vital component to consider. Ensuring that only authorized users have access to data is critical for businesses. For example, you wouldn’t want an employee to see the compensation benefits or personal data of other employees. Open SQL statements in themselves don’t perform any authorization checks when they’re executed; user authorizations should be checked at the application level before providing access to data.


To facilitate user authorization in application programs, you can use authorization objects when programming with ABAP. An authorization object consists of up to 10 authorization fields. that are used to check if the user has authorization for a certain activity in the system. For example, the figure below shows the authorization object S_CARRID with a couple of authorization fields—CARRID and ACTVT. The CARRID field expects the airline code for which the authorization should be checked for the user.


Authorization Object


The ACTVT field expects the activity that should be checked, such as Change or Display. Clicking the Permitted Activities button shows you the available activities that can be checked. This allows you to check for various activities based on the user actions in the application. For example, you may want to give display access to a certain user but not

change the user’s access.


In the example above, we can use the S_CARRID authorization object to check if the user has Create or generate authorization. This check can be performed before creating new records with the INSERT statement.


Similarly, we can check if the user has Display authorization before executing the SELECT statement to select the data.


The authorization object is called in the application program using the AUTHORITY-CHECK OBJECT statement. The Pattern button in the ABAP Editor can be used to insert the required syntax. Below shows sample code to check if the user has display authorization for a particular airline.


PARAMETERS p_carrid TYPE spfli-carrid.



ID 'CARRID' FIELD p_carrid



IF sy-subrc <> 0.

   MESSAGE 'No Authorization for the Airline' TYPE 'E'.



Authorization objects are created by Basis administrators, and the authorization profile is maintained in the user master record. The AUTHORITY-CHECK statement checks the user profile to identify whether the user has the required authorization. It’s always good practice to perform the authorization check early in the program.


Editor’s note: This post has been adapted from a section of the book Complete ABAP by Kiran Bandari.


Complete ABAP
Complete ABAP

Get everything you need to code with ABAP, all in one place! Are you a beginner looking for a refresher on the basics? You'll get an overview of SAP architecture and learn syntax. Already an experienced programmer and looking to improve your ABAP skills? Dive right into modifications and code enhancements. Understand the programming environment and build reports, interfaces, and applications with this complete reference to coding with ABAP!

Learn More

SAP PRESS is the world's leading SAP publisher, with books on ABAP, SAP S/4HANA, SAP CX, intelligent technologies, SAP Business Technology Platform, and more!