The Authorization Concept
Introduction on Authorizations- Authorization objects enable complex checks of an authorization, which allows a user to carry out an action. An authorization object can group up to 10 authorization fields that are checked in an AND relationship.
- For an authorization check to be successful, all field values of the authorization object must be maintained accordingly. The fields in an object should not be seen as input fields on a screen. Instead, fields should be regarded as system elements, such as infotypes, which are to be protected.
- You can define as many system access authorizations as you wish for an object by creating a number of allowed values for the fields in an object. These value sets are called authorizations. The system checks these authorizations in OR relationships.
Authorization:
Authorization means permission to perform a particular function in the sap system. It is achieved by assigning authorization profiles to users.
Authorization Field:
1.It is an element which requires protection.
2.The is the least granular field against which SAP system is protected.
3.These fields are associated with the data elements of the ABAP/4 dictionary
4.This is defined in the transaction SU20.
5.Data Element: It is least granular element which has a valuable name defined by length and type.
Activity:
1.It is defined the type of action which can be performed an authorization field. Example: Create, Modify, Delete, Display, Approve, Save, Reverse, Print, etc.
2.Activities are defined in the table.
Authorization Object:
1. R/3
uses authorization objects to assign authorizations to users.
2. An
authorization object is a template for an authorization.
For example, authorization object F_SKA1_BUK - G/L Account: Authorization for company codes requires
the specification of two field values: Company Code and Activity. To allow a
General Ledger supervisor to create a general ledger master record, he/she must
be assigned an authorization to create (Activity 1) accounts for a specific
company code (eg. Company Code 2000). Such an authorization is created using
the object F_SKA1_BUK by assigning these field values and naming the
authorization following an appropriate convention (eg. Z_SCC20001).
3. The
Authorization object defines an activity that needs to be protected in the SAP
System.
4. An
authorization object groups together upto 10 authorization fields that are
checked together in an authorization check.
5. Authorization
objects are defined in transaction SU21 (Most are
in-built)
Object Class:
1. Depending
on Application Area, Group of relevant authorization objects are grouped into
an object class.
2. These
are defined in transaction SU22.
Authorizations:
1. Authorization
is used to define permitted values for the fields of an authorization object.
2. Authorizations
are defined in SU20.
Authorization Profiles:
1. As
a rule authorizations are not directly assigned to a user. Instead these
authorizations are clubbed in an authorization profile and are then assigned to
the user master records.
2. A
group of not more than 150 authorizations is called an authorization profile.
3. Before
4.6c version, profiles created manually in SU02. From 4.6c onwards, profiles are generated
using Profile Generator.
Composite Profile:
1. A group of authorization profiles (sap_all, sap_new)
2. These are used for administrative purpose, however when it exceeds more than 150 authorizations , another profile will be created and generated.
Role:
1. Role is the group of Profiles, menus, transactions, reports and user assignments and personalization.
2. Roles are defined in Transaction code PFCG
3. Roles are called as Activity Groups until 4.6c
Types of Roles:
1.Single Role
i. Parent Role or Role
ii. Derived Role or Child Role
2. Composite Role
Figure: Role Types
