AS ABAP Authorization Concept

Use

The ABAP authorization concept protects transactions, programs, and services in SAP systems from unauthorized access. On the basis of the authorization concept, the administrator assigns authorizations to the users that determine which actions a user can execute in the SAP system, after he or she has logged on to the system and authenticated himself or herself.

To access business objects or execute SAP transactions, a user requires corresponding authorizations, as business objects or transactions are protected by authorization objects. The authorizations represent instances of generic authorization objects and are defined depending on the activity and responsibilities of the employee. The authorizations are combined in an authorization profile that is associated with a role. The user administrators then assign the corresponding roles using the user master record, so that the user can use the appropriate transactions for his or her tasks.

For more information, see Organizing Authorization Administration and for a detailed description AS ABAP Authorization Concept.

Authorization Checks

With programmatic authorization checks developers ensure that users really have suffcient authorizations before they are allowed to execute any operation.

For more information, see Authorization Checks.

The administrators can then define the scope of authorization checks, reduce it, or deactivate checks.

For more information, see the following sections:

User Information System

With the User Information System (transaction SUIM) you can obtain an overview of the authorizations and users in your SAP system at any time using search criteria that you define. In particular, you can display lists of users to whom authorizations classified as critical are assigned.

For more information, see User Information System.

Central User Administration

With Central User Administration (CUA) you can maintain user master records centrally in one system. Changes to the information are then automatically distributed to the child systems. This means that you have an overview in the central system of all user data in the entire system landscape.

The following sections contain security-relevant information that you must take account of when setting up and operating a Central User Administration:

Security Guide ALE (ALE Applications)
System Users and RFC Destinations and the following sections, in particular Defining Authorizations for System Users.

For more information, see Central User Administration.