Requests to the database in ABAP are processed by the database interface. The database interface is responsible for ensuring that the SQL statement is processed correctly. Since a database operation could come from any application and be for any activity (create, read, update, delete), the database interface must be able to carry out almost any operation. Business users, on the other hand, should only be able to perform certain actions on certain data.
Consequently, the database interface logs onto the database with a special user that can do anything, and not with the user of the business user. To restrict business users to certain privileges, ABAP uses a system of logical authorization checks.
Watch this video to understand how to assign authorization to users using IAM App.
In ABAP, there are two kinds of authorization check. The first is a check that you bind to a CDS view. When the system reads data, it filters the retrieved data according to the user's authorizations. The second is an explicit check using the AUTHORITY-CHECK statement. This sets a return code value, telling you whether the user has the required authorization. In this case, the developer must ensure themselves that the requested action is not performed if the user does not have the authorization. In the ABAP RESTful Application Programming model (RAP), you typically use access controls for read operations and AUTHORITY-CHECK statements to validate authorizations before you allow changes to data.