SAP Authorization Concept

Secure User Access

The SAP authorization concept was developed to protect transactions, programs, and services in SAP systems from unauthorized access. In the authorization concept, the administrator assigns authorizations to users that determine which actions a user can execute in the SAP system, after he or she has logged on to the system and authenticated himself or herself.

Since business objects and SAP transactions are protected by authorization, a user requires corresponding authorizations. The authorizations represent instances of generic authorization objects, and are defined by the activity and responsibilities of the employee. Authorizations are combined in an authorization profile, associated with a role. The user administrators then assign the corresponding roles using the user master record, so the user can use the appropriate transactions for his or her tasks.

SAP Best Practices facilitates the definition of authorization profiles by listing the SAP transactions that are necessary to perform all system activities required for the handling of the respective business scenario. Using the profile generator you can automatically create authorization profiles covering selected system transactions. See the function list for an overview of the transactions used in the different SAP Best Practices scenarios.

All authorization profiles can be adapted according to the necessary requirements and the authorization concept that has to be realized, respectively. For more information on this topic, see the SAP Help Portal, in the area SAP Netweaver -> Security -> Identity Management.