What is '&NC&' in authorization groups

Access to specific tables and reports can be restricted using authorization groups. For example, if we consider that user 'JOHN' has access browse table using transaction SE16 but as user administrator, you want to restrict the access to only 10 specific tables. In SAP, these 10 tables can be assigned to one authorization group (let's say the authorization group 'ABCD'). When you create the role to be assigned to JOHN, you assign value 'ABCD' in the authorization group field for authorization objects S_TABU_DIS and S_TABU_CLI. This will ensure that JOHN can browse only these 10 tables which belong to authorization group 'ABCD'.


The same concept applies to reports as well. Table TRDIR stores the authorization groups for all tables while table TDDAT stores the authorization groups for all reports in SAP.


You may notice that some tables have no authorization groups - which basically means that any user with authorizations to browse tables can browse these tables. The user does not need any authorization group in her profile to browse these tables.


You may also notice that some tables have an authorization group '&NC&'. '&NC&' is slightly better from having a BLANK authorization group since only users with any authorization groups in their profile can access these tables. So, it doesn't matter what authorization group is specified in the user's profile - as long as there is an authorization group in the user profile, the user can access tables assigned to authorization group '&NC&'.

So, it is best to have specific authorization groups assigned to each table you want to protect against unauthorized access. For others, at least have the authorization group as '&NC&' (Not the best option but still better than leaving it blank!)