
The SAP Authorization Concept
You may need several authorizations to perform an operation in the SAP System. The resulting contexts can be complex. The SAP authorization concept, based on authorization objects, has been realized to provide an understandable and simple procedure. Several system elements which are to be protected form an authorization object.
The programmer of a function decides whether, where and how authorizations are to be checked. The program determines whether the user is authorized to perform an activity by comparing the specified authorization object field values in the program with the authorization values in the user master record.
Authorizations can be collected in authorization profiles to reduce the maintenance effort which would be required to enter individual authorizations in the user master record. Access authorization changes affect all users with the profile in their master record.
You can create profiles manually, but you should use the Profile generator. The Profile generator creates profiles automatically and assigns them to user master records. The Profile generator simplifies and speeds up user administration and you should use it to create the authorizations for your staff. The Profile generator also creates the user menus which appear when the user logs on to the SAP System.
To maintain authorizations and profiles manually, you need detailed knowledge of all SAP authorization components. If you use the Profile Generator, you do not need such detailed knowledge. This considerably reduces the SAP System implementation effort.
The following sections describe and classify the authorization concept components. The tasks which can be automated with the Profile generator are then described.
The following graphic shows the authorization components and their relationships. Examples in the explanations relate to the
Authorization Check Scenario.
The terms in the above graphic are explained below:
Object class |
Authorization objects are divided into classes for comprehensibility. An object class corresponds e.g. to an application (Financial accounting, Human relations management, etc.) The object classes are under Tools ® Administration ® User maintenance ® Authorizations. |
Authorization objects |
An authorization object groups up to ten fields that related by AND. An authorization object allows complex tests of an Authorization for multiple conditions. Authorizations allow users to execute actions within the system.For an authorization check to be successful, all field values of the authorization object must be maintained in the user master. |
Authorizations |
An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
S_TRVL_CUS1 is an authorization for the authorization object S_TRVL_BKS with the following values: * for customer type (field: CUSTTYPE ) and02 for activity (field: ACTVT ). Use: Specifies permissible authorization object field values. Contents: One or more values for each field. Authorizations allow you to specify any number of values or value ranges for a field. You can also allow all values, or allow an empty field as a permissible value. Changes: All users with this authorization in their authorization profile are affected. The R/3 System administrator can maintain authorizations as follows:
In the above graphic, the authorization Z:BANK_ALL could be the authorization for all activities and Z:BANK_001 the authorization for a certain area (for example Customers). |
Profile |
User authorizations are not usually assigned directly to user master records, but grouped together in authorization profiles. The system administrator can create authorization profiles automatically using the Profile Generator. Use: Specifies authorizations in user master records Contents: Specific access rights, identified by an object name and a corresponding authorization name. Changes only take effect when the user next logs on. Users who are logged on when the change takes place are not affected in their current session. In the example, Z:ACCOUNT is an authorization profile containing company code authorizations.
You can also create composite profiles in the manual maintenance under Tools |
User Master Record |
These enable the user to log onto the SAP System and allow access to the functions and objects in it within the limits of the specified authorization profiles. The user administrator maintains user master records under Tools ® Administration, User maintenance ® Users (SU01).Changes only take effect when the user next logs on. Users who are logged on when the change takes place are not affected in their current session. In the example a user whose user master record contains the profile Z:ACCOUNT can perform the activities in the profile authorizations. |
For more information, see:
Assigning Authorizations Authorization Checks
Authorization Check ScenarioSee also:
Profile generator