Overview
Depending on the perspective, different authorizations are required; we essentially distinguish between these three roles here:
  1. User
    In principle, a certain authorization to run S10 applications is required. In addition, a role defined in the program may have to be assigned. Further authorization checks are then the responsibility of the developer within the respective application, e.g. for table access, calling function modules and so on.

  2. Developer
    Basically, a developer needs the authorizations for maintaining ABAP programs and editing objects in the MIME repository. For other optional functions such as debugging, application or system trace, etc., further authorizations are then required.

  3. Administrators
    To run an S10 application, different SAP components have to be maintained, especially the SAP ITS (Internet Transaction Server). You can find a description of the SAP transactions and their connection to the S10 Framework in the chapter "useful SAP transactions".
1. Authorizations for S10 user
The logon to an S10 application is always performed with the respective SAP user name. The user must have the authorization to execute the transaction /S10/MAIN. Further authorizations must then be checked in the respective ABAP class by the developer.



Checking a specific role
If the parameter "role=" is set when specifying the S10 license, the S10 Framework additionally checks whether this role has been assigned to the user in the SAP system when the user logs on. If this is not the case, logon is not possible: 
* set S10 license
    s10setlicense( 'Demo license number=100
 role=s10demo_role maxusers=10 signature=1.2.3' ).

Example of own authorization check:
You can check standard SAP authorization objects in an S10 class or also self-created ones, as in this example. If the authorization check is not successful, the S10 Framework issues an error message at the frontend and terminates further processing at this point in the coding: 
* Use a self defined authority object
    authority-check object 'Z_S10_BARC'
      id 'ACTVT' field '10'.

* not authorized -> message to user and stop processing
    if sy-subrc <> 0.
      s10errormessage(
         exporting
          msgid             =     'CACSIB'
          msgno             =      503
      ).
    endif.
2. Authorizations for S10 developers
The development of S10 applications follows the MVC (Model View Controller) principle. The application logic is essentially implemented in an ABAP class. For this the developer needs appropriate authorizations. The views are realized in HTML and then stored in the MIME repository, which in turn requires the authorizations to change these objects.

Here you can see the minimum necessary permissions for this, with no restriction set to specific development objects in this example:


3. Authorizations for S10 administrators
Different authorizations are required for the installation, configuration and monitoring of the S10 Framework, depending on which tasks are to be performed and to what extent.

Basically, the S10 components have to be transported into the system during installation (TA STMS). In addition, there are a number of transactions and tools for the administration of the applications, e.g. the application log, system trace, ICM monitor and the administration of the Fiori Launchpad. For more information, see the chapter "Useful SAP transactions".

Component S10 Framework