SAP Security Authorizations

The Authorization Concept

Introduction on Authorizations

• Authorization objects enable complex checks of an authorization, which allows a user to carry out an action. An authorization object can group up to 10 authorization fields that are checked in an AND relationship.
• For an authorization check to be successful, all field values of the authorization object must be maintained accordingly. The fields in an object should not be seen as input fields on a screen. Instead, fields should be regarded as system elements, such as infotypes, which are to be protected.
• You can define as many system access authorizations as you wish for an object by creating a number of allowed values for the fields in an object. These value sets are called authorizations. The system checks these authorizations in OR relationships.

Authorization:

            Authorization means permission to perform a particular function in the sap system. It is achieved by assigning authorization profiles to users.

Authorization Field:

1.It is an element which requires protection.

2.The is the least granular field against which SAP system is protected.

3.These fields are associated with the data elements of the ABAP/4 dictionary

4.This is defined in the transaction SU20.

5.Data Element: It is least granular element which has a valuable name defined by length and type.

Activity:

1.It is defined the type of action which can be performed an authorization field.                                                                                                                                 Example: Create, Modify, Delete, Display, Approve, Save, Reverse, Print, etc.

2.Activities are defined in the table.

Authorization Object:

1.     R/3 uses authorization objects to assign authorizations to users.

2.     An authorization object is a template for an authorization.     

For example, authorization object F_SKA1_BUK - G/L Account: Authorization for company codes requires the specification of two field values: Company Code and Activity. To allow a General Ledger supervisor to create a general ledger master record, he/she must be assigned an authorization to create (Activity 1) accounts for a specific company code (eg. Company Code 2000). Such an authorization is created using the object F_SKA1_BUK by assigning these field values and naming the authorization following an appropriate convention (eg. Z_SCC20001).

3.     The Authorization object defines an activity that needs to be protected in the SAP System.

4.     An authorization object groups together upto 10 authorization fields that are checked together in an authorization check.

5.     Authorization objects are defined in transaction SU21  (Most are in-built)

Object Class:

1.     Depending on Application Area, Group of relevant authorization objects are grouped into an object class.

2.     These are defined in transaction SU22.

Authorizations:

1.     Authorization is used to define permitted values for the fields of an authorization object.

2.     Authorizations are defined in SU20.

Authorization Profiles:

1.     As a rule authorizations are not directly assigned to a user. Instead these authorizations are clubbed in an authorization profile and are then assigned to the user master records.

2.     A group of not more than 150 authorizations is called an authorization profile.

3.    Before 4.6c version, profiles created manually in SU02. From 4.6c onwards, profiles are generated using Profile Generator.

Composite Profile:

1.    A group of authorization profiles (sap_all, sap_new)

2.    These are used for administrative purpose, however when it exceeds more than 150 authorizations , another profile will be created and generated.

Role:

1.     Role is the group of Profiles, menus, transactions, reports and user assignments and personalization.

2.     Roles are defined in Transaction code PFCG

3.     Roles are called as Activity Groups until 4.6c

Types of Roles:

1.Single Role

           i.  Parent Role or Role

           ii. Derived Role  or  Child Role

2.    Composite Role

Figure: Role Types