What is SU24 and how to maintain authorization object
Source: http://sapsecurityanalyst.com/WP/general-disclaimer/su24-concept-in-sap
Tcode is like a command which when executed executes an ABAP program, report etc. When the program gets executed, it may check for certain authorization objects.
These authorization objects are coded in the program under “AUTHORITY-CHECK” statement.
SU24 is one of the most important tcodes in SAP Security. It is used to maintain authorization objects that are checked during the execution of a particular transaction code.
For example – a screenshot of SU24 entry for PFCG transaction code is shown in the below figure:
SU24 is like a check and check-maintain “container” which is used for maintaining those authorization objects which are checked when ABAP programs are executed.
Whenever any tcode (or program) is executed and if it checks if the user has access to some authorization object performing the task concerned, then it is always a good practice to add that authorization object in SU24 entry for that transaction code.
Lets go through some of the important concepts related to SU24 tcode. For that lets have a look at the SU24 screenshot for tcode FPE3S below:
As we can see this screen shows SU24 entries for tcode FPE3S. On the left side, we have tcode name and description and on the right side, we have authorization objects and other fields like TSTCS, Check Indicator and Proposal.
The Object field shows the list of authorization objects which are checked for tcode FPE3S.
We have already discussed that SU24 maintains the authorization objects which are checked by a tcode. Although just maintaining any authorization object does not mean that the object will be checked. It is necessary that the object is coded in the “Authority-Check” statement in the ABAP code. Simply inserting an authorization object in SU24 which is not checked in the program is not going to make any difference.
SU24 provides us with an option to set if any authorization object can be set to “Do not check”, i.e even if the object is coded in the program, the object will not be checked while executing the tcode. As shown in the figure above, we can see that Check Indicator Field gives us this option to set the authorization object check value to “Check” or “Do Not Check”.
Next to Check Indicator field is Proposal field. It can have values “Yes” or No”. Lets discuss this “Proposal” field via the below screenshot:
We can see in the above figure that for object F_KKKO_BEG, the proposal value is set to “Yes”.
If we double click on the object F_KKKO_BEG or if we click on “Field Values” (as shown in the figure), we get to see some authorization field values for object F_KKKO_BEG at the bottom of the screen as shown above. These are the proposed values and when the tcode FPE3S (as per this example) is added to any role menu, these values automatically get pulled in the role.
These are helpful as the important objects which are set to proposal “Yes” automatically get pulled to the role and thus are very helpful in role maintenance.
If the proposal value is set to “No” and the Check Indicator is set to “Check”, then it means that the object will be checked while tcode execution but no default proposed value gets pulled to the role during assignment of tcode to the role menu.
Lets have a summarized look at what we discussed about check indicators:
- Check / No – Authorization object is checked while tcode execution, but No authorization object field value is proposed when tcode is added to Role Menu.
- Check / Yes – Authorization object is checked while tcode execution and the authorization object automatically gets pulled in the role when the tcode is added to Role Menu. The authorization which is pulled may or may not have some field values depending on what is maintained in SU24 in that object for that tcode.
- Do Not Check – The object is not checked even though it may be in the ABAP Code.
NOTE : The Do Not Check check indicator CANNOT be set or HR and BASIS tcodes.