Authorization Objects and Field Values

An authorization object is what SAP use to assign and enables complez check to determine if the user is allowed to perform certain operations on the system.

An authorization object consists of authorization field and it can group up to 10 authorization fields which are checked with an AND relationship.

The authorization objects are considered as system elements to be protected and relate to data elements stered with the ABAP dictionary.
We can put a single value inside the field or a range of values.
The values are called authorizations and the system perform a check in OR relationship.
You can allow all values or an empty one as a permissible one.
The user needs all the right values to have the access to the determined system operation.

Usually when we talk about transactions assigned to a user we are talking about a check performed by the SAP system on all the authorization objects and authorization fields assigned to the user by roles.

When the user tries to start a transaction from teh menu or directly, the SAP system perform different cheks.
- the first chak is on the TSTC table to to see if the transaction is valid or doesn't exist.
- than the system checks teh authorization object S_TCODE which contains the authorization field TCD (Transaction code). The value inside should be the same as the name of the transaction.
After these cheks the user can access the transaction but in usually additional authorization object are needed to use the transaction.

Other authorization object can be added using the authorization object TSTA, wfich is stored in TSTCA table.
Alternativily could be added at program level the command AUTHORITY-CHECK.

You can use the transaction SU24 to look which authorization object are assigned to a determine transaction

Read More

Authorization concept

The authorization concept in SAP involves the provision of users access using a role-based identity management.
When the user logs into the system, the SAP applicaton authenticates that user by checking the authorization object assigned to that user.
In order to execute a transaction in SAP the user needs to have a series of authorization objects requested for that transaction and pass all the chekc done by the system.
All the authorization object are assigned by a combination of roles or composite roles defined for the specific organizational position the user is hold inside the company.
The roles can be assigned directly or indirectly  with teh composite roles, which are group of roles.

Read More

Introduction

Authorization concept for SAP involves the provisioning of SAP access using a role based identity management.

When a user logs into the SAP application, the system authenticates that user and performs access controls by checking the authorizations object assigned to that user.

All the authorization object are assigned to the user by ROLES created with PFCG.

There are several types of ROLES, single, composite and derived.

SINGLE ROLE -  contains all the authorization data and the log-on menu structure that consist in all the transactions assigned to that role. User assigned to that role will be able to use the menu structure and the transactions.

COMPOSITE ROLE - this kind of roles doesn't contain authorization object. The composite is needed to group related single roles. Users who are assigned to a composite role are automatically assigned to the corresponding sinlge roles that are part of the composite.

DERIVED ROLES - are similar to the sinlge roles and contain the authorization object and menu structure but the organization level are not defined.

This kind of role is suitable when we need to maintain roles that are the same but different each other on the organizational level.

Read More