Authority to carry out a particular activity in the system.

The system always grants an authorization for a specific authorization object and stores it in the user master record of a user. You can think of an authorization as a key that fits the locks of a specific lock system (to build up the authorization object).

Just as there are master keys and general keys to the locks in a lock system, there are authorizations that enable authorization checks to exist. However, the authorizations and checks must always belong to the same authorization object (that is to the same key system).

Point in the program at which the systems asks for a specific authorization. You can think of the authorization check as the lock to a lock system.

Access mode used by the user to access system data.

Possible specifications of an authorization level are:

Collective term for the AUTSW group entries from table T77S0 (System Table) that are connected with HR authorizations. You can generally control the use of an authorization object during the authorization check using this switch.

Example: The ORGIN entry controls the use of the P_ORGIN authorization object.

Technical tool used to carry out authorization checks.

From a system point of view, an authorization object primarily determines the technical context for the authorization check. In other words, which fields with which field specifications the system should consider during the corresponding authorization check. You can specify a maximum of ten fields per authorization object. The actual check and the business meaning of this check are determined by a program of the corresponding application.

You can think of an authorization object as the building instructions for the locksmith of a lock system. The object does not determine which authorizations you need at a position (which keys fit in which locks), instead it determines which fields are used as part of the authorization check (what the keys or locks look like). In addition, the object does not determine which programs access it (where a lock is built) and how the programs react after the corresponding authorization checks (what happens when you turn the key).

Grouping of authorizations. Analogy: Bunch of keys (where a key = an authorization)

Function that creates the flexibility to realize customer enhancements. A BAdI is a location defined by SAP in a program at which delivered software layers (industries, partners, customers, and so on) can insert code without modifying the original object. Business Add-Ins can be created at every level of a multi-level system infrastructure (for example, SAP, country version, IS solutions, partners, and customers). Implementations can also be created and delivered in all software layers.

The enhancement technique with Business Add-Ins distinguishes between enhancements that can have at most one implementation and those that can be actively used by any number of customers at the same time. Business Add-Ins can also be defined independently of a filter value. Enhancements to the program code are implemented with ABAP objects.

You create BAdIs using the SE18 transaction. You can perform BAdI implementations using the SE19 transaction.

Method that requires at least two users to create or change data.

You can define authorizations for infotypes so that one user is authorized to create data records and write locked data records, and another user to edit the lock indicators (set and delete). Data entry is therefore controlled by both users.

The Double Verification Principle ensures that one person alone cannot change particularly critical information (for instance, the information on an employee’s salary stored in the Basic Pay infotype (0008)).

Chain of relationships that exists between objects in an hierarchical structure.

The evaluation path O-S-P, for example, describes the relationship chain organizational unit ® position ® person.

Evaluation paths are used, for instance, to select objects during evaluations. You choose an evaluation path and the system evaluates the structure along this evaluation path. The report takes account only of the objects that lie along the specified evaluation path.

Technical tool used to create a decision tree in Customizing. From a technical perspective, a feature is a CASE statement that has been nested several times. You can process features using the Features: Initial Screen transaction (PE03).

Features are frequently used in HR. Features are most frequently used to:

• Define default values
• Control system process flows
• Control the display of lists in evaluations

The content of the organizational key is either derived by the system from the fields of the Organizational Assignment infotype (0001) or entered manually by the user.

All the authorization profiles from general and structural authorizations that a user has in the system.

The validity period of a data record may only partly be in a user’s period of responsibility. For this reason, there is a time logic, which then decides on the authorization.

Group of activities that a user with a specific task profile carries out.

A role is defined by the transactions, reports, web-based applications and so on that it contains. User menus provide access to the activities contained in roles.

Methods that protect infotype data by checking for the presence of the Test Procedures infotype (0103).

Method that determines within the general authorization check whether access authorizations already exist for a user using the period of responsibility of the user, the validity period of a data record, and the desired access mode (read or write).

Input value that you can enter instead of concrete values when assigning authorizations.