Controlling access to tables in SAP has always been a challenge. The standard way SAP provides to restrict access to tables is through table groups or specific tables (using the S_TABU_DIS or S_TABU_NAM authorization objects and the traditional table view and modification transactions). Authorization objects are the basic unit for controlling user permissions in an SAP system; in this case, the mentioned objects control access to the entire table, but not based on its content.
Among best practices, it is most accepted to create a parameter transaction with the specific table and avoid broad access that could compromise other unwanted tables. These parameter transactions are nothing more than transactions that are based on another transaction but applying specific parameters. Thus, it is possible to create a new transaction that uses the SM30 (table modification) as its base but directly loads the table indicated in the parameter, instead of allowing the user to select the one they want.
However, it is also possible to implement authorization checks that examine the internal information of the table, opening up the possibility of implementing more specific restrictions. In this article, we will see how to implement these restrictions using the Events of the Table Maintenance Generator (TMG).
What are the Table Maintenance Generator Events?
The Table Maintenance Generator is an SAP tool that allows for the necessary configuration to modify a table (specifically, generate the table maintenance program), directly from a standard interface. It can be accessed from the SE11 – ABAP Dictionary Maintenance or SE54 – Generate table view transactions.
With this tool, it is possible to introduce and modify entries in the table, establish the Authorization Group, modify the interface, and even the programs associated with the maintenance of this table; in this case, we will focus on the Events.
The TMG Events allow us to associate a new FORM routine with a specific event that can occur during the maintenance of a table. This routine will effectively be a new ABAP program that will execute at the time indicated by the event. Therefore, it is possible to include in this ABAP code any behavior desired. SAP provides a wide variety of events, several examples of which can be seen in the image above.
How to implement a custom restriction?
Using the Events discussed earlier, our goal is to implement a custom restriction in the modification of a custom table, ensuring that only users authorized for a particular organizational value can modify the rows corresponding to that organizational value.
We start by creating and configuring a custom table using the SE11 transaction. Our table is enabled for modification and consists of 4 fields:
-
- Client (MANDT): necessary to make the table client-specific.
- Company Code (Z_BUKRS): the organizational value with which we will apply the restriction.
- Sales Organization (Z_VKORG): a second organizational value.
- Approver (Z_APPROVER): an approver user according to the combination of previous organizational values.
In the TMG, we have assigned an authorization group for our table and a function group for the maintenance program. In addition, we have selected the one-step maintenance type and obtained the screen number 1 using Find Scr. Number(s):
At this point, our table is ready to be modified using the TMG itself.
In this example, we went a bit further and decided to create a custom transaction (parameter transaction of the SM30 – Call View Maintenance) that facilitates the modification of this table. The new transaction was created using the SE93 – Maintain Transaction Codes transaction:
To configure the new routine we want to execute, we access the Events section of the TMG and add a new entry:
We select the event we want to use, give a name to the routine, and click the ‘Editor’ button.
We select the option to add a new Include, which will open an ABAP editor where we can enter the code of our routine according to our needs. According to our example, we were interested in adding a restriction with the organizational value Company Code (Z_BUKRS) when the user tried to modify the table. For this, we used a very simple code and event 01, as it allows us to check new entries, modifications, and deletions.
Seleccionamos la opción de añadir un nuevo Include, lo cual nos abrirá un editor ABAP donde podremos introducir el código de nuestra rutina según nuestras necesidades. Según nuestro ejemplo, nos interesaba añadir una restricción con el valor organizativo Company Code (Z_BUKRS) cuando el usuario intentara modificar la tabla. Para ello hemos utilizado un código muy simple y el evento 01, ya que nos permite comprobar nuevas entradas, modificaciones y eliminaciones.
In this code, we decided to implement an authorization check with the object F_BKPF_BUK and the organizational value Company Code (Z_BUKRS in our table, BUKRS in the standard), checking the activity ’02’ (modification). The authorization object should always be used according to the organizational value being checked, and a new custom object could even be created to avoid expanding authorizations in other critical standard transactions.
Conclusion
The TMG routines and events are a very versatile tool that allows enhancing the functionality of tables in general. Many companies today use SAP’s custom tables to expand and adapt the standard functionality to their business processes; using this tool, it is possible to reduce the necessary developments to achieve the goal and improve functionality according to the more specific needs of each company. We could be including additional validations to the information included in the table, or we could modify the way it is displayed, to give some examples.
In our specific case, we have managed to introduce an authorization check with an organizational value, something that the standard does not contemplate for tables and that is often a valuable addition for the company, which requires its structure to be properly segregated.
