-
5/26/2018 SAP Authorization Concept (SAP Library - Identity
Management)
1/3
5/10/2014 SAP Authorization Concept (SAP Library - Identity
Management)
http://help.sap.com/saphelp_nw04/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htm
SAP Authorization ConceptThe SAP authorization concept protects
transactions, programs, and services in SAP systems from
unauthorized access. On the basis of the authorization concept,
the administrator assigns authorizations t
the users that determine which actions a user can execute in the
SAP System, after he or she has logged
on to the system and authenticated himself or herself.
To access business objects or execute SAP transactions, a user
requires corresponding authorizations, a
business objects or transactions are protected by authorization
objects. The authorizations represent
instances of generic authorization objects and are defined
depending on the activity and responsibilities of
the employee. The authorizations are combined in an
authorization profile that is associated with a role. Th
user administrators then assign the corresponding roles using
the user master record, so that the user can
use the appropriate transactions for his or her tasks.
The following graphic shows the authorization components and
their relationships.
Explanation of the Graphic
Term Comment
User master record These enable the user to log onto the SAP
System and allow access to thefunctions and objects in it within
the limits of the authorization profiles
specified in the role. The user master record contains all
information about the
corresponding user, including the authorizations.
Changes only take effect when the user next logs on to the
system. Users
who are logged on when the change takes place are not affected
in their
current session.
Single role Is created with the profile generator and allows the
automatic generation of an
authorization profile. The role contains the authorization data
and the logon
menu for the user.
-
5/26/2018 SAP Authorization Concept (SAP Library - Identity
Management)
2/3
5/10/2014 SAP Authorization Concept (SAP Library - Identity
Management)
http://help.sap.com/saphelp_nw04/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htm
Composite role Consists of any number of single roles.
Generated authorization
profile
Is generated in role maintenance from the role data.
Manual authorization
profile
To minimize the maintenance effort if you are using
authorization profiles, do
not usually enter single authorizations in the user master
record, but rather
authorizations combined into authorization profiles. Changes to
the
authorization rights take effect for all users whose user master
record contains
the profile the next time they log on to the system. Users who
are already
logged on are not immediately affected by the changes.
We strongly recommend that you do not assign profiles manually,
but rather
do so automatically with the profile generator.
Composite profile Consists of any number of authorization
profiles.
Authorization Definition of an authorization object, that is, a
combination of permissible
values in each authorization field of an authorization
object.
An authorization enables you to perform a particular activity in
the SAP
System, based on a set of authorization object field values.
Authorizations allow you to specify any number of single values
or value
ranges for a field of an authorization object. You can also
allow all values, or
allow an empty field as a permissible value.
If you change authorizations, all users whose authorization
profile contains
these authorizations are affected.
As a system administrator, you can change authorizations in the
following
ways:
You can extend and change the SAP defaults with role
maintenance. You can change authorizations manually. These changes
take effect for
the relevant users as soon as you activate the
authorization.
The programmer of a function decides whether, where and how
authorizations
are to be checked. The program determines whether the user has
sufficient
authorization for a particular activity. To do this, it compares
the field values
specified in the program with the values contained in the
authorizations of the
user master record.
The line of the authorization is colored yellow in the profile
generator.
Authorization Object An authorization object groups up to ten
fields that are related by AND.
An authorization object allows complex tests of an authorization
for multipleconditions. Authorizations allow users to execute
actions within the system.
For an authorization check to be successful, all field values of
the
authorization object must be appropriately maintained in the
user master.
Authorization objects are divided into classes for
comprehensibility. An object
class is a logical combination of authorization objects and
corresponds, for
example, to an application (financial accounting, human
resources, and so
on). The line of the authorization object class is colored
orange in the profile
generator.
For information about maintaining the authorization values,
double click an
http://help.sap.com/saphelp_nw04/helpdata/en/52/67151e439b11d1896f0000e8322d00/content.htmhttp://help.sap.com/saphelp_nw04/helpdata/en/52/671595439b11d1896f0000e8322d00/content.htm
-
5/26/2018 SAP Authorization Concept (SAP Library - Identity
Management)
3/3
5/10/2014 SAP Authorization Concept (SAP Library - Identity
Management)
http://help.sap.com/saphelp_nw04/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htm
authorization object.
The line of the authorization object is colored green in the
profile generator.
Authorization fields Contains the value that you defined. It is
connected to the data elements
stored with the ABAP Dictionary.
The objects (such as authorizations, profiles, user master
records, or roles) are assigned
per client. For more information about transporting these
objects from one client to another,
or from one system to another, see the SAP Library, in the in
sections Transporting
Authorization Componentsand Change and Transport System
(BC-CTS).
If you develop your own transactions or programs, you must add
authorizations to your
developments yourself (seeAuthorization Checks in Your Own
Developments).
To be able to successfully implement the authorization strategy,
you need a reliable authorization plan. To
produce a plan, you must first decide which users may perform
which tasks in the SAP system. You then
need to assign the authorizations required for these tasks in
the SAP system to each user.
The working out of a solid and reliable authorization plan is a
constant process. We recommend that you
regularly revise the authorization plan so that it always
corresponds to your requirements. Define standard
roles and procedures for creating and assigning roles, profiles,
and authorizations.
See also:
Assigning Authorizations Authorization Checks Authorization
Checks in Customer Developments Scenario for an Authorization Check
Role Maintenance
http://help.sap.com/saphelp_nw04/helpdata/en/52/6714a9439b11d1896f0000e8322d00/content.htmhttp://help.sap.com/saphelp_nw04/helpdata/en/52/6712ac439b11d1896f0000e8322d00/content.htmhttp://help.sap.com/saphelp_nw04/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htmhttp://help.sap.com/saphelp_nw04/helpdata/en/52/67129f439b11d1896f0000e8322d00/content.htmhttp://help.sap.com/saphelp_nw04/helpdata/en/52/671292439b11d1896f0000e8322d00/content.htmhttp://help.sap.com/saphelp_nw04/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htmhttp://help.sap.com/saphelp_nw04/helpdata/en/52/6716d2439b11d1896f0000e8322d00/content.htm
