{"id":"2f681f95-71c4-443d-a1a8-b0f790d0de81","shortId":"BqHU2e","kind":"skill","title":"authorization-iam","tagline":"Help with ABAP authorization and IAM (Identity and Access Management) including authorization objects, authorization checks, IAM apps, business catalogs, business roles, restriction types, CDS access control (DCL), privilege access annotations, and role-based access in ABAP Cloud","description":"# Authorization & IAM\n\nGuide for implementing authorization checks and identity/access management in ABAP Cloud and on-premise systems.\n\n## Workflow\n\n1. **Determine the user's goal**:\n   - Implementing authorization checks in ABAP code\n   - Creating CDS access controls (DCL)\n   - Setting up IAM apps, business catalogs, and business roles (ABAP Cloud)\n   - Managing PFCG roles (on-premise)\n   - Defining custom authorization objects\n   - Understanding restriction types\n\n2. **Identify the platform**:\n   - ABAP Cloud (BTP or S/4HANA embedded) → IAM apps + business catalogs + `CL_ABAP_AUTHORIZATION`\n   - On-premise / Standard ABAP → PFCG roles + `AUTHORITY-CHECK`\n\n3. **Guide implementation** with the appropriate authorization model\n\n## Authorization Models\n\n### ABAP Cloud (BTP / S/4HANA Cloud)\n\n```\nIAM App → Business Catalog → Business Role → Business User\n                                    ↑\n                            Restriction Type (field-level restrictions)\n```\n\n### On-Premise (Standard ABAP)\n\n```\nAuthorization Object → PFCG Role → User Assignment\n       ↑\nAuthorization Fields + Permitted Values\n```\n\n## Authorization Checks in Code\n\n### ABAP Cloud — `CL_ABAP_AUTHORIZATION`\n\n```abap\n\"Check authorization using released API\nDATA(lo_auth) = cl_abap_authorization=>check_authorization(\n  EXPORTING\n    authorization_object = 'Z_MY_AUTH'\n    authorizations       = VALUE #(\n      ( field = 'ACTVT' value = '03' )    \"Display\n      ( field = 'ZCARR' value = lv_carrier )\n    ) ).\n\nIF lo_auth->is_authorized( ) = abap_false.\n  \"User not authorized\n  RAISE EXCEPTION TYPE zcx_not_authorized.\nENDIF.\n```\n\n### On-Premise — `AUTHORITY-CHECK`\n\n```abap\nAUTHORITY-CHECK OBJECT 'Z_MY_AUTH'\n  ID 'ACTVT' FIELD '03'\n  ID 'ZCARR' FIELD lv_carrier.\n\nIF sy-subrc <> 0.\n  MESSAGE e001(z_msg) WITH lv_carrier.\n  RETURN.\nENDIF.\n```\n\n### Activity Values (ACTVT)\n\n| Value | Activity |\n| ----- | -------- |\n| `01`  | Create   |\n| `02`  | Change   |\n| `03`  | Display  |\n| `06`  | Delete   |\n| `16`  | Execute  |\n\n## Authorization Objects\n\n### Creating a Custom Authorization Object\n\nIn ADT or `SU21`:\n\n```\nAuthorization Object: Z_MY_AUTH\n  Fields:\n    ACTVT  — Activity (standard field, linked to domain ACTIV_AUTH)\n    ZCARR  — Carrier (custom field, type S_CARR_ID)\n    ZREGN  — Region (custom field, type CHAR4)\n```\n\n#### Structure\n\n- **Authorization Class**: Groups related objects (e.g., `Z_TRAVEL`)\n- **Authorization Object**: Contains 1–10 authorization fields\n- **Authorization Field**: Links to a data element; defines the check dimension\n\n## CDS Access Control (DCL)\n\nCDS access controls define row-level authorization for CDS view entities.\n\n### Basic DCL\n\n```cds\n@EndUserText.label: 'Access Control for Travel'\n@MappingRole: true\ndefine role ZI_Travel {\n  grant select on ZI_Travel\n    where ( carrier_id ) =\n      aspect pfcg_auth ( Z_MY_AUTH, ZCARR, ACTVT = '03' );\n}\n```\n\n### Multiple Conditions\n\n```cds\ndefine role ZI_Travel {\n  grant select on ZI_Travel\n    where ( carrier_id ) =\n      aspect pfcg_auth ( Z_MY_AUTH, ZCARR, ACTVT = '03' )\n      and ( agency_id ) =\n      aspect pfcg_auth ( Z_AGENCY_AUTH, ZAGENCY, ACTVT = '03' );\n}\n```\n\n### Unrestricted Access\n\n```cds\ndefine role ZI_Travel_Admin {\n  grant select on ZI_Travel\n    where _unrestrictedAccess;\n}\n```\n\n### Inherited Access Control\n\n```cds\n\"Child entity inherits access control from parent\ndefine role ZI_Booking {\n  grant select on ZI_Booking\n    where ( carrier_id ) =\n      aspect pfcg_auth ( Z_MY_AUTH, ZCARR, ACTVT = '03' );\n}\n```\n\n### DCL and PRIVILEGED ACCESS\n\n```abap\n\"Bypass DCL access control when needed (e.g., in background jobs)\nSELECT FROM zi_travel\n  FIELDS travel_id, description\n  INTO TABLE @DATA(lt_all)\n  PRIVILEGED ACCESS.\n```\n\n## IAM in ABAP Cloud\n\n### IAM App\n\nCreated in ADT, links a service binding to the authorization model:\n\n```\nADT: New → Other → IAM App\nName: Z_TRAVEL_IAM\nType: EXT - External App (for OData services)\nService Binding: ZUI_TRAVEL_O4\n```\n\nAssign authorization objects to the IAM App to define which checks apply.\n\n### Business Catalog\n\nGroups IAM Apps into logical bundles:\n\n```\nADT: New → Other → Business Catalog\nName: Z_BC_TRAVEL_MGMT\nDescription: Travel Management\nIAM Apps: Z_TRAVEL_IAM, Z_BOOKING_IAM\n```\n\n### Business Role\n\nCreated in Fiori app \"Maintain Business Roles\":\n\n1. Create new business role (e.g., `Z_BR_TRAVEL_MANAGER`)\n2. Add business catalogs\n3. Configure restriction types (field-level access)\n4. Assign business users\n\n### Restriction Types\n\nDefine field-level restrictions in business roles:\n\n| Restriction Type | Description                               |\n| ---------------- | ----------------------------------------- |\n| **Unrestricted** | Full access to all values                 |\n| **Restricted**   | Access limited to specified values        |\n| **No Access**    | No access to the associated functionality |\n\nExample: A travel manager role might restrict `ZCARR` to only `LH` and `AA`.\n\n## On-Premise: PFCG Roles\n\n### Creating a PFCG Role\n\n1. Open `PFCG` transaction\n2. Enter role name (e.g., `Z_TRAVEL_DISPLAY`)\n3. **Menu tab**: Add transaction codes, Fiori tiles, or apps\n4. **Authorizations tab**: Maintain authorization values\n   - Set authorization objects and field values\n   - Generate the authorization profile\n5. **User tab**: Assign users to the role\n\n### Composite Roles\n\nBundle multiple single roles:\n\n```\nZ_TRAVEL_COMPOSITE (Composite Role)\n├── Z_TRAVEL_DISPLAY (Single Role — display only)\n├── Z_TRAVEL_EDIT (Single Role — create/change)\n└── Z_TRAVEL_ADMIN (Single Role — full access)\n```\n\n## RAP Authorization\n\n### Instance Authorization in RAP\n\n```abap\n\"In behavior definition:\ndefine behavior for ZR_Travel alias Travel\n  authorization master ( instance )\n{\n  ...\n}\n```\n\n```abap\n\"In behavior implementation:\nMETHOD get_instance_authorizations.\n  READ ENTITIES OF zr_travel IN LOCAL MODE\n    ENTITY Travel\n    FIELDS ( carrier_id )\n    WITH CORRESPONDING #( keys )\n    RESULT DATA(lt_travels).\n\n  LOOP AT lt_travels INTO DATA(ls_travel).\n    DATA(lo_auth) = cl_abap_authorization=>check_authorization(\n      authorization_object = 'Z_MY_AUTH'\n      authorizations       = VALUE #(\n        ( field = 'ZCARR' value = ls_travel-carrier_id )\n        ( field = 'ACTVT' value = COND #(\n            WHEN requested_authorizations-%update = if_abap_behv=>mk-on\n              THEN '02'\n            WHEN requested_authorizations-%delete = if_abap_behv=>mk-on\n              THEN '06'\n            ELSE '03' ) )\n      ) ).\n\n    APPEND VALUE #(\n      %tky = ls_travel-%tky\n      %update = COND #( WHEN lo_auth->is_authorized( ) THEN if_abap_behv=>auth-allowed\n                        ELSE if_abap_behv=>auth-unauthorized )\n      %delete = COND #( WHEN lo_auth->is_authorized( ) THEN if_abap_behv=>auth-allowed\n                        ELSE if_abap_behv=>auth-unauthorized )\n    ) TO result.\n  ENDLOOP.\nENDMETHOD.\n```\n\n### Global Authorization in RAP\n\n```abap\n\"In behavior definition:\ndefine behavior for ZR_Travel alias Travel\n  authorization master ( global )\n{\n  ...\n}\n```\n\n```abap\nMETHOD get_global_authorizations.\n  DATA(lo_auth) = cl_abap_authorization=>check_authorization(\n    authorization_object = 'Z_MY_AUTH'\n    authorizations       = VALUE #(\n      ( field = 'ACTVT' value = '01' ) ) ).  \"Create\n\n  IF lo_auth->is_authorized( ).\n    result-%create = if_abap_behv=>auth-allowed.\n  ELSE.\n    result-%create = if_abap_behv=>auth-unauthorized.\n  ENDIF.\nENDMETHOD.\n```\n\n## Output Format\n\nWhen helping with authorization/IAM topics, structure responses as:\n\n```markdown\n## Authorization Guidance\n\n### Platform\n\n- [ABAP Cloud / On-Premise]\n- Approach: [CDS DCL / AUTHORITY-CHECK / CL_ABAP_AUTHORIZATION / IAM]\n\n### Implementation\n\n[Step-by-step with code examples]\n\n### Role Configuration\n\n[How to set up roles and assign access]\n```\n\n## References\n\n- ABAP Authorization Cheat Sheet: https://github.com/SAP-samples/abap-cheat-sheets\n- CDS Access Control: https://help.sap.com/docs/abap-cloud/abap-development-tools-user-guide/access-controls\n- IAM Guide: https://help.sap.com/docs/btp/sap-business-technology-platform/identity-and-access-management-iam","tags":["authorization","iam","abap","skills","likweitan","agent-skills","sap"],"capabilities":["skill","source-likweitan","skill-authorization-iam","topic-abap","topic-agent-skills","topic-sap"],"categories":["abap-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/likweitan/abap-skills/authorization-iam","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add likweitan/abap-skills","source_repo":"https://github.com/likweitan/abap-skills","install_from":"skills.sh"}},"qualityScore":"0.456","qualityRationale":"deterministic score 0.46 from registry signals: · indexed on github topic:agent-skills · 12 github stars · SKILL.md body (8,109 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-24T01:03:16.316Z","embedding":null,"createdAt":"2026-04-23T13:03:44.879Z","updatedAt":"2026-04-24T01:03:16.316Z","lastSeenAt":"2026-04-24T01:03:16.316Z","tsv":"'/docs/abap-cloud/abap-development-tools-user-guide/access-controls':1044 '/docs/btp/sap-business-technology-platform/identity-and-access-management-iam':1049 '/sap-samples/abap-cheat-sheets':1038 '0':258 '01':273,958 '02':275,850 '03':207,248,277,396,420,432,479,864 '06':279,862 '1':61,335,598,679 '10':336 '16':281 '2':102,608,683 '3':129,612,691 '4':620,701 '5':717 'aa':669 'abap':6,40,53,71,87,106,117,123,139,162,177,180,182,192,219,237,484,512,762,776,816,844,856,880,887,901,908,921,935,944,968,977,998,1010,1032 'access':12,28,32,38,75,351,355,370,434,449,455,483,487,509,619,639,644,650,652,755,1030,1040 'activ':268,272,301,307 'actvt':205,246,270,300,395,419,431,478,836,956 'add':609,694 'admin':440,751 'adt':291,518,527,568 'agenc':422,428 'alia':771,930 'allow':884,905,972 'annot':33 'api':187 'app':20,81,113,145,515,531,539,554,564,582,594,700 'append':865 'appli':559 'approach':1003 'appropri':134 'aspect':388,412,424,471 'assign':168,548,621,720,1029 'associ':655 'auth':190,201,216,244,298,308,390,393,414,417,426,429,473,476,814,824,875,883,890,896,904,911,942,952,962,971,980 'auth-allow':882,903,970 'auth-unauthor':889,910,979 'author':2,7,15,17,42,47,68,97,118,127,135,137,163,169,173,181,184,193,195,197,202,218,223,229,235,239,283,288,294,324,332,337,339,361,525,549,702,705,708,715,757,759,773,783,817,819,820,825,841,853,877,898,918,932,939,945,947,948,953,964,995,1007,1011,1033 'authority-check':126,234,238,1006 'authorization-iam':1 'authorization/iam':989 'background':493 'base':37 'basic':366 'bc':575 'behavior':764,767,778,923,926 'behv':845,857,881,888,902,909,969,978 'bind':522,544 'book':462,467,587 'br':605 'btp':108,141 'bundl':567,727 'busi':21,23,82,85,114,146,148,150,560,571,589,596,601,610,622,632 'bypass':485 'carr':315 'carrier':213,253,265,310,386,410,469,795,833 'catalog':22,83,115,147,561,572,611 'cds':27,74,350,354,363,368,399,435,451,1004,1039 'chang':276 'char4':322 'cheat':1034 'check':18,48,69,128,174,183,194,236,240,348,558,818,946,1008 'child':452 'cl':116,179,191,815,943,1009 'class':325 'cloud':41,54,88,107,140,143,178,513,999 'code':72,176,696,1019 'composit':725,733,734 'cond':838,872,893 'condit':398 'configur':613,1022 'contain':334 'control':29,76,352,356,371,450,456,488,1041 'correspond':798 'creat':73,274,285,516,591,599,675,959,966,975 'create/change':748 'custom':96,287,311,319 'data':188,344,505,801,809,812,940 'dcl':30,77,353,367,480,486,1005 'defin':95,346,357,376,400,436,459,556,626,766,925 'definit':765,924 'delet':280,854,892 'descript':502,578,636 'determin':62 'dimens':349 'display':208,278,690,738,741 'domain':306 'e.g':329,491,603,687 'e001':260 'edit':745 'element':345 'els':863,885,906,973 'embed':111 'endif':230,267,982 'endloop':915 'endmethod':916,983 'endusertext.label':369 'enter':684 'entiti':365,453,785,792 'exampl':657,1020 'except':225 'execut':282 'export':196 'ext':537 'extern':538 'fals':220 'field':155,170,204,209,247,251,299,303,312,320,338,340,499,617,628,711,794,827,835,955 'field-level':154,616,627 'fiori':593,697 'format':985 'full':638,754 'function':656 'generat':713 'get':781,937 'github.com':1037 'github.com/sap-samples/abap-cheat-sheets':1036 'global':917,934,938 'goal':66 'grant':380,404,441,463 'group':326,562 'guid':44,130,1046 'guidanc':996 'help':4,987 'help.sap.com':1043,1048 'help.sap.com/docs/abap-cloud/abap-development-tools-user-guide/access-controls':1042 'help.sap.com/docs/btp/sap-business-technology-platform/identity-and-access-management-iam':1047 'iam':3,9,19,43,80,112,144,510,514,530,535,553,563,581,585,588,1012,1045 'id':245,249,316,387,411,423,470,501,796,834 'ident':10 'identifi':103 'identity/access':50 'implement':46,67,131,779,1013 'includ':14 'inherit':448,454 'instanc':758,775,782 'job':494 'key':799 'level':156,360,618,629 'lh':667 'limit':645 'link':304,341,519 'lo':189,215,813,874,895,941,961 'local':790 'logic':566 'loop':804 'ls':810,830,868 'lt':506,802,806 'lv':212,252,264 'maintain':595,704 'manag':13,51,89,580,607,660 'mappingrol':374 'markdown':994 'master':774,933 'menu':692 'messag':259 'method':780,936 'mgmt':577 'might':662 'mk':847,859 'mk-on':846,858 'mode':791 'model':136,138,526 'msg':262 'multipl':397,728 'name':532,573,686 'need':490 'new':528,569,600 'o4':547 'object':16,98,164,198,241,284,289,295,328,333,550,709,821,949 'odata':541 'on-premis':56,92,119,158,231,670,1000 'open':680 'output':984 'parent':458 'permit':171 'pfcg':90,124,165,389,413,425,472,673,677,681 'platform':105,997 'premis':58,94,121,160,233,672,1002 'privileg':31,482,508 'profil':716 'rais':224 'rap':756,761,920 'read':784 'refer':1031 'region':318 'relat':327 'releas':186 'request':840,852 'respons':992 'restrict':25,100,152,157,614,624,630,634,643,663 'result':800,914,965,974 'return':266 'role':24,36,86,91,125,149,166,377,401,437,460,590,597,602,633,661,674,678,685,724,726,730,735,740,747,753,1021,1027 'role-bas':35 'row':359 'row-level':358 's/4hana':110,142 'select':381,405,442,464,495 'servic':521,542,543 'set':78,707,1025 'sheet':1035 'singl':729,739,746,752 'skill' 'skill-authorization-iam' 'source-likweitan' 'specifi':647 'standard':122,161,302 'step':1015,1017 'step-by-step':1014 'structur':323,991 'su21':293 'subrc':257 'sy':256 'sy-subrc':255 'system':59 'tab':693,703,719 'tabl':504 'tile':698 'tki':867,870 'topic':990 'topic-abap' 'topic-agent-skills' 'topic-sap' 'transact':682,695 'travel':331,373,379,384,403,408,439,445,498,500,534,546,576,579,584,606,659,689,732,737,744,750,770,772,788,793,803,807,811,832,869,929,931 'travel-carri':831 'true':375 'type':26,101,153,226,313,321,536,615,625,635 'unauthor':891,912,981 'understand':99 'unrestrict':433,637 'unrestrictedaccess':447 'updat':842,871 'use':185 'user':64,151,167,221,623,718,721 'valu':172,203,206,211,269,271,642,648,706,712,826,829,837,866,954,957 'view':364 'workflow':60 'z':199,242,261,296,330,391,415,427,474,533,574,583,586,604,688,731,736,743,749,822,950 'zagenc':430 'zcarr':210,250,309,394,418,477,664,828 'zcx':227 'zi':378,383,402,407,438,444,461,466,497 'zr':769,787,928 'zregn':317 'zui':545","prices":[{"id":"427e3fd0-e853-4874-aa2f-b5457fa8ec8a","listingId":"2f681f95-71c4-443d-a1a8-b0f790d0de81","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"likweitan","category":"abap-skills","install_from":"skills.sh"},"createdAt":"2026-04-23T13:03:44.879Z"}],"sources":[{"listingId":"2f681f95-71c4-443d-a1a8-b0f790d0de81","source":"github","sourceId":"likweitan/abap-skills/authorization-iam","sourceUrl":"https://github.com/likweitan/abap-skills/tree/main/skills/authorization-iam","isPrimary":false,"firstSeenAt":"2026-04-23T13:03:44.879Z","lastSeenAt":"2026-04-24T01:03:16.316Z"}],"details":{"listingId":"2f681f95-71c4-443d-a1a8-b0f790d0de81","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"likweitan","slug":"authorization-iam","github":{"repo":"likweitan/abap-skills","stars":12,"topics":["abap","agent-skills","sap"],"license":"mit","html_url":"https://github.com/likweitan/abap-skills","pushed_at":"2026-04-17T13:44:41Z","description":"Advance Agent Skills for ABAP Developers","skill_md_sha":"77ca73fcb309844d1c7f4ad3ab798b87c8465e6f","skill_md_path":"skills/authorization-iam/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/likweitan/abap-skills/tree/main/skills/authorization-iam"},"layout":"multi","source":"github","category":"abap-skills","frontmatter":{"name":"authorization-iam","description":"Help with ABAP authorization and IAM (Identity and Access Management) including authorization objects, authorization checks, IAM apps, business catalogs, business roles, restriction types, CDS access control (DCL), privilege access annotations, and role-based access in ABAP Cloud and on-premise. Use when users ask about authorization, AUTHORITY-CHECK, authorization object, IAM app, business catalog, business role, restriction type, CDS access control, DCL, access control, privilege annotation, role assignment, PFCG role, S_DEVELOP, or securing ABAP applications. Triggers include \"authorization check\", \"create authorization object\", \"CDS access control\", \"IAM app\", \"business catalog\", \"business role\", \"PFCG\", \"restrict access\", or \"role-based security\"."},"skills_sh_url":"https://skills.sh/likweitan/abap-skills/authorization-iam"},"updatedAt":"2026-04-24T01:03:16.316Z"}}