Authorization Concept

The authorizations for users are created using roles and profiles. The administrator
creates the roles, and the system supports him or her in creating the associated authorizations.

Authorization
A
B Object Class Authorization Object
Create, Change,Display
SUPER
User Master
Maintenance: User
B
Groups
Display
Basis Admin Activity
Finance
User Group

Fig 1.1 Authorization Concepts

Authorization objects allow complex checks that involve multiple conditions that allow
a user to perform an action. An authorization is always associated with exactly one authorization
object and contains the value for the fields for the authorization objects.

An authorization is a permission to perform a certain action in the SAP System. The

action is defined on the basis of the values for the individual fields of an authorization object.
When a user logs on to a client of an SAP system, his or her authorizations are loaded in the user
context. The user context is in the user buffer( in the main memory) of the application Server.

When the user calls a transaction, the system checks whether the use has an
authorization in the user context that allows him/her to call the selected transaction.
Authorization checks use the authorizations in the user context.

All the authorizations are permissions. There are no authorizations for prohibiting. Everything
that is not explicitly allowed is forbidden.

The user gets the necessary authorization through Roles. The role also contains the
authorizations users need to access the transactions, reports, web-based applications and so on,
contained in the menu.

The details of user administration is specified in my other BOOK “User Administration in SAP
R3 System”.
SAP Authorization Concept Modules
The SAP authorization concept modules are color-coded in the hierarchy display.

The basic SAP authorization concept terms are displayed below, before you specify the authorization field
values. The colors of the SAP authorization concept modules are the standard colors in the following
hierarchy display.
Explanation of terms:

Object class Object classes have an orange background in the hierarchy display.

Authorization objects are divided into classes for comprehensibility. An object

class corresponds e.g. to an application (Financial accounting, etc.)

The SAP authorization concept object classes are under Tools →

Administration → User maintenance → Authorizations.

Authorization objects Authorization objects have a green background in the hierarchy display.

You may need several authorizations to perform an operation in the SAP

System. The resulting contexts can be complex. The SAP authorization
concept, based on authorization objects, has been realized to provide an
understandable and simple procedure. Several system elements which are to
be protected form an authorization object.

An authorization object allows complex tests of an Authorization for multiple

conditions. Authorizations allow users to execute actions within the system. An
authorization object groups up to ten fields that related by AND.

For an authorization check to be successful, all field values of the authorization

 object must be maintained in the user master.

You get the authorization object documentation by double-click on an

authorization object. The documentation describes how you maintain the
authorization values.

Authorizations Authorizations have a yellow background in the hierarchy display.

Authorization fields are light blue and their values are white.

An authorization enables you to perform a particular activity in the SAP System,

based on a set of authorization object field values.

The programmer of a function decides whether, where and how authorizations

are to be checked. The program determines whether the user is authorized to
perform an activity by comparing the specified authorization object field values
in the program with the authorization values in the user master record.

T_9092029701 is an authorization for the authorization object

F_KNA1_BUK with the following values:
 * for company code and

01,02 activity

Use of an authorization: Specifies permissible authorization object field

values.

Contents: One or more values for each field.

Authorizations allow you to specify any number of values or value ranges for a
field. You can also allow all values, or allow an empty field as a permissible
value.

Changes: All users with this authorization in their authorization profile are
affected.

You can maintain authorizations manually with reference to the authorization

object documentation or by double-click on a value field in the following dialog
box:
 You can select individual field values or choose Full Authorization.

Profile User authorizations are not usually assigned directly to user master records,
but grouped together in authorization profiles.

Authorizations can be collected in authorization profiles to reduce the

maintenance effort which would be required to enter individual authorizations in
the user master record. Access authorization changes affect all users with the
profile in their master record.

You can create profiles manually, but you should use the Profile generator.

Use: Specifies authorizations in user master records

Contents: Specific access rights, identified by an object name and a

corresponding authorization name.

Changes only take effect when the user next logs on. Users who are logged on
 when the change takes place are not affected in their current session.

In the example, T_58000097 is an authorization profile containing company

code authorizations.

User Master Record These enable the user to log onto the SAP System and allow access to the
functions and objects in it within the limits of the specified authorization profiles.

Changes only take effect when the user next logs on. Users who are logged on
when the change takes place are not affected in their current session.

In the example a user whose user master record contains the profile
T_58000097 can perform the activities in the profile authorizations.

When a transaction is called, a system program makes various checks to ensure that the user has the
appropriate authorization.

Is the transaction code valid? (table TSTC check).

Is the transaction locked by the system administrator? (table TSTC check).

Is the user authorized to call the transaction?

The authorization object S_TCODE (call transaction) contains the field TCD (transaction code). The user
must have an authorization with a value for the selected transaction code.

Does the transaction code have an authorization object? If so, a check is made that the user has
authorization for this authorization object.

If one of this checks fails, the transaction is not called and the system sends a message.

If the transaction is called, it calls an ABAP program which makes further authorization checks with the
AUTHORITY-CHECK command. The programmer specifies an authorization object and the required
values for each authorization field.

AUTHORITY-CHECK checks whether a user has appropriate authorization. To do this, it searches in the
specified authorization profile in the user master record to see whether the user has authorization for the
authorization object specified in the command.

If the authorization is found and it contains the correct values, the check is successful.