Authorization object is an element of the authorization system. Authorizations are checked against objects in the system. Authorization objects enable complex checks (linked to several conditions) of an authorization. For the authorization check to be successful, the user must pass the check for each field contained in the object.
Field of an Authorization object:
In authorization objects, authorization fields represent the values to be tested during authorization checks. For example, Movement type in material movements, document type, plant etc in purchasing documents etc. An authorization object combines up to 10 authorization fields.
Finding out missing authorization object:
The most common and easiest way of finding out missing authorization is through Transaction SU53. Whenever user finds a missing authorization, User needs to enter /nSU53 in Command field and see the authorization data for the user. In this example, I have given details for no access to SU01 edit/create access.
Here, make a note to drill down and get both authorization object and field name. This will make the job of Basis/Security consultants easy and they can provide the required authorization correctly.
When you find such messages, go to SU53 and share the screen with Security team and also a functional consultant can understand and identify missing authorizations as per the screen.
And the best ways for finding out Authorization object is to check in table TOBJ.
Here, in SE16N, for table TOBJ, Enter the authorization class (Say MM_E for Materials Management: Purchasing).
You can see the list of authorization object and fields relevant for entered class below in the output screen
We can get the Authorization object of a Role from T Code PFCG as shown below.
List of Authorization objects can be seen with Transaction Code SU21.
I hope this is useful for you. Please share with your friends to make it more useful