For an authorization check to be executed, it must be included in the source code of a transaction and must not be exempt from the check.
During an authorization check, the system compares the values assigned by the system administrator in an authorization profile with the values specified in the program which are necessary to execute a certain action.
A user may only execute the action if the authorization check is successful for every field in the authorization object.
Authorization checks are triggered by the ABAP AUTHORITY-CHECK statement. The programmer then specifies an authorization object and the required values for each authorization field.
AUTHORITY-CHECK checks whether a user has appropriate authorization. To do this, it searches in the specified authorization profile in the user master record to see whether the user has authorization for the authorization object specified in the command.
If the authorization is found and it contains the correct values, the check is successful.
When R/3 transactions are executed, a large number of Authorization Objects are often checked, since the transaction calls other work areas in the background. In order for these checks to be executed successfully, the user in question must have the appropriate authorizations. This results in some users having more authorization than they strictly need. It also leads to an increased maintenance workload. You can deliberately disable such authorization checks by setting the Check Status in Transaction SU24.