ABAP Authorization ConceptLocate this document in the navigation structure

The ABAP authorization concept protects transactions, programs, and services in SAP systems from unauthorized access. On the basis of the authorization concept, the administrator assigns authorizations to the users that determine which actions a user can execute in the SAP system, after he or she has logged on to the system and authenticated himself or herself.

To access business objects or execute SAP transactions, a user requires corresponding authorizations, as business objects or transactions are protected by authorization objects. The authorizations represent instances of generic authorization objects and are defined depending on the activity and responsibilities of the employee. The authorizations are combined in an authorization profile that is associated with a role. The user administrators then assign the corresponding roles using the user master record, so that the user can use the appropriate transactions for his or her tasks.

The following figure shows the authorization components and their relationships.

Table 1: Authorization Components
Term

Notes

User Master Record

These enable the user to log on to the SAP system and allow access to the functions and objects in it within the limits of the authorization profiles specified in the role. The user master record contains all information about the corresponding user, including the authorizations.

Changes only take effect when the user next logs on to the system. Users who are logged on when the change takes place are not affected in their current session.

Single role

Is created with the role administration tool and allows the automatic generation of an authorization profile. The role contains the authorization data and the logon menu for the user.

Composite role

Consists of any number of single roles.

Generated authorization profile

Is generated in role administration from the role data.

Manual authorization profile

To minimize the editing effort if you are using authorization profiles, do not enter single authorizations in the user master record, but rather authorizations combined into authorization profiles. Changes to the authorization rights take effect for all users whose user master record contains the profile the next time they log on to the system. Users who are already logged on are not immediately affected by the changes.

Note

We strongly recommend that you do not assign profiles manually, but rather do so automatically with the role administration tool.

Composite profile

Consists of any number of authorization profiles.

Authorization

Definition of an authorization object, that is, a combination of permissible values in each authorization field of an authorization object.

An authorization enables you to perform a particular activity in the SAP system, based on a set of authorization object field values.

Authorizations allow you to specify any number of single values or value ranges for a field of an authorization object. You can also allow all values, or allow an empty field as a permissible value.

If you change authorizations, all users whose authorization profile contains these authorizations are affected.

As a system administrator, you can edit authorizations in the following ways:

  • You can extend and change the SAP defaults with role administration.
  • You can change authorizations manually. These changes take effect for the relevant users as soon as you activate the authorization.

The programmer of a function decides whether, where and how authorizations are to be checked. The program determines whether the user has sufficient authorization for a particular activity. To do this, it compares the field values specified in the program with the values contained in the authorizations of the user master record.

The line of the authorization is highlighted in yellow.

Authorization object

An authorization object groups up to 10 fields that are related by AND.

An authorization object allows complex tests of an authorization for multiple conditions. Authorizations allow users to execute actions within the system. For an authorization check to be successful, all field values of the authorization object must be appropriately entered in the user master record.

Authorization objects are divided into classes for comprehensibility. An object class is a logical combination of authorization objects and corresponds, for example, to an application (financial accounting, human resources, and so on). The line of the authorization object class is highlighted in orange.

For information about editing the authorization values, double-click an authorization object.

The line of the authorization object is highlighted in green.

Authorization field

Contains the value that you defined. It is connected to the data elements stored with the ABAP Dictionary.

The objects (such as authorizations, profiles, user master records, or roles) are assigned per client.

For more information about transporting these objects from one client to another, or from one system to another, see the SAP Library, in the section Transporting Authorization Components.

Note

If you develop your own transactions or programs, add authorizations to your developments yourself (see Authorization Checks in Your Own Developments).

To be able to successfully implement the authorization strategy, you need a reliable authorization plan. To produce a plan, first decide which users may perform which tasks in the SAP system. You then need to assign the authorizations required for these tasks in the SAP system to each user.

The development of a stable and reliable authorization plan is an ongoing process. We recommend that you regularly revise the authorization plan so that it always meets your requirements. Define standard roles and procedures for creating and assigning roles, profiles, and authorizations.