Select language:
Entering content frameBackground documentationThe SAP Authorization Concept

You may need several authorizations to perform an operation in the SAP System. The resulting contexts can be complex. The SAP authorization concept, based on authorization objects, has been realized to provide an understandable and simple procedure. Several system elements which are to be protected form an authorization object.

The programmer of a function decides whether, where and how authorizations are to be checked. The program determines whether the user is authorized to perform an activity by comparing the specified authorization object field values in the program with the authorization values in the user master record.

Authorizations can be collected in authorization profiles to reduce the maintenance effort which would be required to enter individual authorizations in the user master record. Access authorization changes affect all users with the profile in their master record.

You can create profiles manually, but you should use the Profile generator. The Profile generator creates profiles automatically and assigns them to user master records. The Profile generator simplifies and speeds up user administration and you should use it to create the authorizations for your staff. The Profile generator also creates the user menus which appear when the user logs on to the SAP System.

To maintain authorizations and profiles manually, you need detailed knowledge of all SAP authorization components. If you use the Profile Generator, you do not need such detailed knowledge. This considerably reduces the SAP System implementation effort.

The following sections describe and classify the authorization concept components. The tasks which can be automated with the Profile generator are then described.

The following graphic shows the authorization components and their relationships. Examples in the explanations relate to the

Structure linkAuthorization Check Scenario.

This graphic is explained in the accompanying text

The terms in the above graphic are explained below:

Object class

Authorization objects are divided into classes for comprehensibility. An object class corresponds e.g. to an application (Financial accounting, Human relations management, etc.)

The object classes are under Tools ® Administration ® User maintenance ® Authorizations.

Authorization objects

An authorization object groups up to ten fields that related by AND.

An authorization object allows complex tests of an

Authorization for multiple conditions. Authorizations allow users to execute actions within the system.

For an authorization check to be successful, all field values of the authorization object must be maintained in the user master.


An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.



is an authorization for the authorization object S_TRVL_BKS with the following values: * for customer type (field: CUSTTYPE ) and
02 for activity (field: ACTVT ).

Use: Specifies permissible authorization object field values.

Contents: One or more values for each field.

Authorizations allow you to specify any number of values or value ranges for a field. You can also allow all values, or allow an empty field as a permissible value.

Changes: All users with this authorization in their authorization profile are affected.

The R/3 System administrator can maintain authorizations as follows:

  • Using the Profile Generator
    You can change or extend the SAP default field values.
  • Manually, by choosing Tools
® Administration ® User Maintenance ® Authorization ® Authorization ® Create (or Change). Changes take effect for the users as soon as the authorization is activated.

In the above graphic, the authorization Z:BANK_ALL could be the authorization for all activities and Z:BANK_001 the authorization for a certain area (for example Customers).


User authorizations are not usually assigned directly to user master records, but grouped together in authorization profiles.

The system administrator can create authorization profiles automatically using the Profile Generator.

Use: Specifies authorizations in user master records

Contents: Specific access rights, identified by an object name and a corresponding authorization name.

Changes only take effect when the user next logs on. Users who are logged on when the change takes place are not affected in their current session.

In the example, Z:ACCOUNT is an authorization profile containing company code authorizations.


You can also create composite profiles in the manual maintenance under Tools

® Administration ® User maintenance ® Profile. Composite profiles can contain simple and composite profiles or individual authorizations. Composite profiles simplify the administration when you maintain profiles manually.

User Master Record

These enable the user to log onto the SAP System and allow access to the functions and objects in it within the limits of the specified authorization profiles.

The user administrator maintains user master records under Tools

® Administration, User maintenance ® Users (SU01).

Changes only take effect when the user next logs on. Users who are logged on when the change takes place are not affected in their current session.

In the example a user whose user master record contains the profile Z:ACCOUNT can perform the activities in the profile authorizations.

For more information, see:

Assigning Authorizations

Authorization Checks

Structure linkAuthorization Check Scenario

See also:

Profile generatorLeaving content frame