General authorization concept of SAP

Introduction to the general authorization concept of SAP

Requirements to an authorization concept

A good authorization concept should have the following characteristics:

  • Reliability
The range of authorization has to correspond with the operational responsibility of the user.
  •  Security
It has to be guaranteed, that no unauthorized users have access to sensitive data or programs.
  • Testability
The concept has to be comprehensible and transparent as well for internal as also external auditors. 
  • Flexibility
It should be easily adaptable, if for example organizational changes occur or new modules have to be integrated.
  • Comprehensibility
It should be easily comprehensible for all those involved, as for example according to name conventions for users, authorizations and profiles.

Functional structure

The authorization concept of SAP represents the fundamental security function of the system. All relevant security functions are controlled via the authorization concept, as for example the adjustments of system modifications or the segregation of duties within the modules. The main principle, on which the authorization concept is set up, is the protection of individual fields. Every user works with screens that again consist of several fields.

It should not be possible for every user to have unrestricted access to all fields including all potential values. The users should only get access to the individual fields in a way that this complies with a work related need. This way, the fields are protected from unauthorized accesses.

With regard to this, authorization objects were created in the SAP system that again were laid over the individual fields the same as a mask. This mask can exist of up to ten fields. In this mask, the options that will be assigned to the user are maintained. In Release ECC 6 2.580, 4.7 there are about 1033, in 4.6C 947, in 4.6B 891 and in 4.0B 711 predefined authorization objects.

Analysis of an authorization object:
Authorization object Authorization field Authorization value Description
F_KNA1_BUK ACTVT 
BUKRS
03
$BUKRS
Determination Activity
Determination in which company code dependent part of the master data, the activity defined ahead, may be executed.
In the above example an authorization object is listed that controls the access to the company code data of the general customer master data. This authorization object consists of two fields. First, the field ACTVT, in which is determined which activities may be executed. In this example 03, a display authorization is established. The second field BUKRS, enables that the access is only provided to selected company codes with the assigned activity. The company codes can be explicitly entered to this field, for example 0001.

As they are named values assigned to the authorization object, then the field company code can be brought to display for the company code 0001.

With the assignment of values to the participating fields in this authorization object, an authorization to this object is created.

SAP works transaction controlled. That means that basically every application within SAP is represented by a transaction.

To every authorization object an unlimited number of authorizations can be created, resulting from the diverse combination possibilities of the field values with one another.

An authorization cannot be assigned directly to a user instead authorizations are collected in a profile. The profiles, in which authorizations are collected, are also called single profiles. Starting with the profile level, an assignment to users can succeed. SAP allows furthermore that profiles may be combined in composite profiles. In composite profiles, no authorizations are combined, only other profiles.

The most popular composite profile is the SAP_ALL profile, which contains (just about) all authorizations of the SAP-System. The profile SAP_ALL contains no authorizations, but other profiles. In a profile, either authorizations or profiles can be entered, but a combination of both is not possible.

These composite profiles can also be nested in other composite profiles. Concerning the nesting depth on the composite profile level there are no limitations other than related to the database structure [300 profile entries per composite profile]. Composite profiles are assigned to users just like single profiles. The user then receives all authorizations that are contained in the profiles of the composite profiles.

With the integration of the profile generator into SAP, profiles are created with the help of this tool. The profile generator creates roles. A role is similar to a container for one or more profiles that are generated and contain the defined authorizations. Roles may be combined as composite roles. The nesting depth is limited to one level only.

Roles as well as composite roles may be assigned to users.

SAP Basis

Relevant Read
Adding Tcode To PFCG

SAP Basis Reference Books:
SAP Basis Components, System Administration, Security, ALE and iDoc Books

Back to Basis Menu:
SAP BC (Basis Components) Hints and Tips

Return to :-
SAP ABAP/4 Programming, Basis Administration, Configuration Hints and Tips

(c) www.gotothings.com All material on this site is Copyright.
Every effort is made to ensure the content integrity.  Information used on this site is at your own risk.
All product names are trademarks of their respective companies.  The site www.gotothings.com is in no way affiliated with SAP AG.
Any unauthorised copying or mirroring is prohibited.