SAP Authorization Concept

The SAP authorization concept safeguards transactions, programs, and services in SAP systems from unauthorized access. Based on the authorization concept, the administrator assigns authorizations towards the customers that pick which actions a person can execute within the SAP System, after she or he has drenched onto the machine and authenticated themself or herself.

To gain access to business objects or execute SAP transactions, a person requires corresponding authorizations, as business objects or transactions are safe by authorization objects. The authorizations represent cases of generic authorization objects and therefore are defined with respect to the activity and duties from the worker. The authorizations are combined within an authorization profile that’s connected having a role. The consumer managers then assign the related roles while using user master record, to ensure that the consumer may use the right transactions for tasks.

Diagram of SAP Authorization Concept

The following graphic shows the authorization components and their relationships.

Explaining SAP Authorization Concept in Detail

User master record

These enable the user to log onto the SAP System and allow access to the functions and objects in it within the limits of the authorization profiles specified in the role. The user master record contains all information about the corresponding user, including the authorizations. Changes only take effect when the user next logs on to the system. Users who are logged on when the change takes place are not affected in their current session.

Single role

Is created with the profile generator and allows the automatic generation of an authorization profile. The role contains the authorization data and the logon menu for the user.

Composite role

Consists of any number of single roles.

Generated authorization profile

Is generated in role maintenance from the role data.

Manual authorization profile

To minimize the maintenance effort if you are using authorization profiles, do not usually enter single authorizations in the user master record, but rather authorizations combined into authorization profiles. Changes to the authorization rights take effect for all users whose user master record contains the profile the next time they log on to the system. Users who are already logged on are not immediately affected by the changes.

We strongly recommend that you do not assign profiles manually, but rather do so automatically with the profile generator.

Composite profile

Consists of any number of authorization profiles.

Authorization

Definition of an authorization object, that is, a combination of permissible values in each authorization field of an authorization object. An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values. Authorizations allow you to specify any number of single values or value ranges for a field of an authorization object. You can also allow all values, or allow an empty field as a permissible value.

If you change authorizations, all users whose authorization profile contains these authorizations are affected.
As a system administrator, you can change authorizations in the following ways:
• You can extend and change the SAP defaults with role maintenance.
• You can change authorizations manually. These changes take effect for the relevant users as soon as you activate the authorization.

The programmer of a function decides whether, where and how authorizations are to be checked. The program determines whether the user has sufficient authorization for a particular activity. To do this, it compares the field values specified in the program with the values contained in the authorizations of the user master record.
The line of the authorization is colored yellow in the profile generator.

Authorization Object

An authorization object groups up to ten fields that are related by and An authorization object allows complex tests of an authorization for multiple conditions. Authorizations allow users to execute actions within the system. For an authorization check to be successful, all field values of the authorization object must be appropriately maintained in the user master.
Authorization objects are divided into classes for comprehensibility. An object class is a logical combination of authorization objects and corresponds, for example, to an application (financial accounting, human resources, and so on). The line of the authorization object class is colored orange in the profile generator.

For information about maintaining the authorization values, double click an authorization object. The line of the authorization object is colored green in the profile generator.

Authorization fields

Contains the value that you defined. It is connected to the data elements stored with the ABAP Dictionary.

This outlines the overall SAP Authorization Concept.

If you like this post, you may as well like these too:

1. Authorization in SAP An Authorization is the process of giving someone permission to do or have something. In multi-user SAP systems, a SAP Basis Administrator defines for the system which users are allowed...
2. SAP Authorisation Concept The SAP authorization concept is based upon the logical relationship between a user ID and the range of system authorizations with which it can be associated. The architecture of the...
3. Client Concept in SAP A Client is the top-most organizational structure, which has its own set of master records. A Client is denoted by a 3-character alphanumeric code in SAP, and is a mandatory...
4. Authorization Object Authorization Object are a group of fields used to check if an particular transaction/events/steps can be executed or not. AUTHORITY-CHECK is the statement used in the ABAP program to perform...
5. The Concept of Movement Types When you enter a goods movement in the system, you must enter a movement type to differentiate between the various goods movements. A movement type is a three digit identification...