Show TOC

Customizing Scenario-Based AuthorizationsLocate this document in the navigation structure

Development can deliver scenarios in applications. To activate the scenarios in the application, you must create active scenarios from the scenario definitions delivered by development.


You have a user with the required authorizations.


Scenarios enable developers to deliver alternative authorization checks for specific scenarios. The scenarios do not change the behavior of the application until you activate them. The scenario definition defines the authorization objects used and how the system should check them. In the active scenario, you can override the authorization status suggested by developer in the scenario definition. Active scenarios are customizing objects, which you can transfer through your landscape.


  1. Start Compare Active Scenarios for Switchable Authorizations (transaction SACF_COMPARE).
  2. Determine the comparison method.
    Option Description
    Set initial values

    Choose this option to copy the configuration of the scenario definition to the active scenario. If there is already an active scenario, this option overwrites any content.

    Automatic comparison with scenario definitions

    Choose this option to automatically create the active scenario. It sets the scenario status, security audit log status, and assignment of any authorization objects and their status in the active scenario to that of the scenario definition. This option cannot overwrite existing values.

    Manual comparison with scenario definitions

    Choose this option to open the active scenario in editing mode. Manually set the scenario status, security audit log status, change the authorization objects, and change the status of the authorization objects.

  3. Enter selection parameters.
  4. Choose (Execute).
  5. Select an active scenario definition and choose the action according to the comparison method.

    You chose the option to...


    Set initial values

    Choose the SAP Menu Initialize pushbutton.

    Automatic comparison with scenario definitions

    Choose the SAP Menu Automatic Comparison pushbutton.

    Manual comparison with scenario definitions

    Double-click an active scenario and edit the data as required.


    By default, the scenario does not record authorization checks in the security audit log. Enable the checks with the SAL Status field to troubleshoot and test. The security audit log can return information about the user ID, the terminal, and the authorization objects involved. In productive systems, only enable the security audit log for critical processes for which you want information about authorization checks that failed. Activate the security audit log only in exceptional circumstances.

Next Steps

Once you have customized and tested the active scenario, you can transport it to other systems in your landscape.