Authorization concept for SAP involves the provisioning of SAP access using a role based identity management.
When a user logs into the SAP application, the system authenticates that user and performs access controls by checking the authorizations object assigned to that user.
All the authorization object are assigned to the user by ROLES created with PFCG.
There are several types of ROLES, single, composite and derived.
SINGLE ROLE - contains all the authorization data and the log-on menu structure that consist in all the transactions assigned to that role. User assigned to that role will be able to use the menu structure and the transactions.
COMPOSITE ROLE - this kind of roles doesn't contain authorization object. The composite is needed to group related single roles. Users who are assigned to a composite role are automatically assigned to the corresponding sinlge roles that are part of the composite.
DERIVED ROLES - are similar to the sinlge roles and contain the authorization object and menu structure but the organization level are not defined.
This kind of role is suitable when we need to maintain roles that are the same but different each other on the organizational level.
