{"id":285,"date":"2011-10-29T10:08:02","date_gmt":"2011-10-29T10:08:02","guid":{"rendered":"http:\/\/sapsecurityanalyst.com\/WP\/?page_id=285"},"modified":"2015-05-03T09:09:06","modified_gmt":"2015-05-03T09:09:06","slug":"elements-in-sap-authorization","status":"publish","type":"page","link":"https:\/\/sapsecurityanalyst.com\/WP\/general-disclaimer\/elements-in-sap-authorization\/","title":{"rendered":"Elements in SAP Authorization"},"content":{"rendered":"<p><span style=\"color: #0000ff; font-family: verdana;\"><!--more--><\/span><\/p>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><br \/>\n<span style=\"color: #4c4c4c;\">As already discussed, roles play an important part in user authorization. In this post we will discuss about roles and other elements in SAP authorization such as profiles, authorization objects, authorization fields etc.<\/span><\/span><\/p>\n<p><span style=\"color: #4c4c4c; font-family: verdana;\"><!--more--><!--more--><br \/>\nWhen a user is created, he needs some authorization to perform any activity in SAP. User is created via <span style=\"color: #0000ff;\"><strong>SU01<\/strong><\/span>\u00a0&#8220;transaction code&#8221;. A <span style=\"color: #0000ff;\"><strong>transaction code<\/strong><\/span> can be understood as a command which when executed executes a program or report.<\/span><\/p>\n<p><span style=\"color: #4c4c4c; font-family: verdana;\"><!--more--><\/span><\/p>\n<p><span style=\"color: #4c4c4c; font-family: verdana;\"><br \/>\nSo when we want to create a user, we execute SU01 transaction code (also called <em>tcode<\/em>). After this tcode is executed, we get the necessary screen to create user (assuming that we have the other necessary authorizations to create user).<\/span><\/p>\n<p><span style=\"color: #4c4c4c; font-family: verdana;\"><!--more--><\/span><\/p>\n<p><span style=\"color: #4c4c4c; font-family: verdana;\"><br \/>\nRoles are assigned to users in \u00a0&#8220;Roles&#8221; tab in SU01. Roles are basically containers which contain tcodes, authorization objects etc. When roles are generated, we get profile which provides authorization. Tcode PFCG (Profile Generator) is used for creating and maintaining roles.<\/span><\/p>\n<p><!--more--><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #4c4c4c;\"><a href=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/10\/1.jpg\"><span style=\"color: #4c4c4c;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-466\" title=\"1\" src=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/10\/1.jpg\" alt=\"\" width=\"409\" height=\"326\" srcset=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/10\/1.jpg 409w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/10\/1-300x239.jpg 300w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/10\/1-290x231.jpg 290w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/10\/1-150x119.jpg 150w\" sizes=\"(max-width: 409px) 100vw, 409px\" \/><br \/>\n<\/span><\/a><\/span><\/p>\n<p><span style=\"color: #4c4c4c; font-family: verdana;\"><!--more--><\/span><\/p>\n<p><span style=\"color: #4c4c4c; font-family: verdana;\"><br \/>\nSome of the basic elements of SAP authorization are:<\/span><\/p>\n<p><!--more--><\/p>\n<p><strong><span style=\"color: #0000ff; font-family: verdana;\">(1) Authorization object<br \/>\n<span style=\"color: #0000ff; font-family: verdana;\">(2) Authorization Class<br \/>\n<span style=\"color: #0000ff; font-family: verdana;\">(3) Authorization field<br \/>\n<span style=\"color: #0000ff; font-family: verdana;\">(4) Authorization<br \/>\n<span style=\"color: #0000ff; font-family: verdana;\">(5) Authorization Profile<br \/>\n<span style=\"color: #0000ff; font-family: verdana;\">(6) Role<\/span><\/span><\/span><\/span><\/span><br \/>\n<\/span><br \/>\n<\/strong><\/p>\n<p><!--more--><\/p>\n<ul>\n<li><span style=\"color: #4c4c4c; font-family: verdana;\">An <span style=\"color: #0000ff;\"><strong>Authorization Object<\/strong><\/span> is a collection of 1 to 10 authorization fields. All the authorization fields are checked simultaneously. This means that if an authorization object has two fields a1 and a2, then values in both fields will be checked simultaneously such that the two fields follow &#8220;AND&#8221; rule for that particular instance of the authorization object.<\/span><\/li>\n<\/ul>\n<p><span style=\"color: #4c4c4c;\">\u00a0<!--more--><\/span><\/p>\n<p><span style=\"color: #4c4c4c; font-family: verdana;\"><br \/>\n<\/span><\/p>\n<ul>\n<li><span style=\"color: #4c4c4c; font-family: verdana;\">An <span style=\"color: #0000ff;\"><strong>Authorization Class<\/strong><\/span>\u00a0is a logical grouping of similar authorization objects (e.g. similar in the sense of functional module they support). It can be seen in PFCG how different authorization objects are logically grouped under different authorization classes like FI, HR etc. This we can also verify in tcode SU21 which is used for creating authorization objects. Custom authorization objects should always follow naming standard such that they begin with Y or Z. These authorization objects are logically grouped under authorization classes which are custom made and their names should also follow customer naming conventions.<\/span><\/li>\n<\/ul>\n<p><span style=\"color: #4c4c4c; font-family: verdana;\"><!--more--><br \/>\n<\/span><\/p>\n<ul>\n<li><span style=\"color: #4c4c4c; font-family: verdana;\">An <span style=\"color: #0000ff;\"><strong>Authorization Field<\/strong><\/span> can be defined as the smallest authorization unit against which a check is made. As already discussed earlier, \u00a0an authorization object can have 1 to 10 authorization fields and all the fields are checked simultaneously. An example of an authorization object is S_TCODE. It has only one field TCD. Another example is authorization object S_TABU_DIS which has two fields: ACTVT (which means Activity) and BRGRU(which means Authorization group-we will discuss this later). Object S_TABU_DIS is used for authorization related to Table maintenance and we just saw that it is a collection of two fields.<\/span><\/li>\n<\/ul>\n<p><span style=\"color: #4c4c4c; font-family: verdana;\"><!--more--><br \/>\n<\/span><\/p>\n<ul>\n<li><span style=\"color: #4c4c4c; font-family: verdana;\">An <span style=\"color: #0000ff;\"><strong>Authorization<\/strong><\/span> can be defined as an instance of an authorization object. An authorization object can have different set of field values in a given role. For example: for authorization object S_TABU_DIS (discussed earlier), the field values can be ACTVT:03 and BRGRU:SS. It means that for tables belonging to authorization group(BRGRU) SS, the activity is 03 (i.e. display). So the user gets access to display certain tables (belonging to authorization group SS).<\/span><\/li>\n<\/ul>\n<p><span style=\"color: #4c4c4c;\"><span style=\"font-family: verdana;\"><span style=\"font-family: verdana;\"><!--more--><\/span><\/span><\/span><\/p>\n<p><span style=\"color: #4c4c4c;\"><span style=\"font-family: verdana;\"><span style=\"font-family: verdana;\"><br \/>\nNow suppose the user also needs access to change certain tables and suppose those tables belong to authorization group AA. Then the above combination of &#8220;Activity:03 and BRGRU:SS&#8221; will not work to give the change access to AA tables. We will need another combination i.e. &#8220;ACTVT:02 (02 means change) and BRGRU:AA&#8221; to fulfill our requirement.<br \/>\n<\/span><!--more--><\/span><\/span><\/p>\n<p><script type=\"text\/javascript\">\/\/ < ![CDATA[\ngoogle_ad_client = \"ca-pub-1241348474673689\";\n\/* All content above *\/\ngoogle_ad_slot = \"3293572617\";\ngoogle_ad_width = 468;\ngoogle_ad_height = 15;\n\/\/ ]]><\/script><br \/>\n<script src=\"http:\/\/pagead2.googlesyndication.com\/pagead\/show_ads.js\" type=\"text\/javascript\">\/\/ < ![CDATA[\n\n\n\/\/ ]]><\/script><br \/>\n<span style=\"color: #4c4c4c;\"><span style=\"font-family: verdana;\"><br \/>\n<span style=\"font-family: verdana;\">Assuming both the authorizations (display access to SS and change access to AA auth group tables) need to be given via the same role, we will have to use two instances of authorization object S_TABU_DIS in the role with two different set of values-&#8220;ACTVT:03; BRGRU:SS&#8221; and &#8220;ACTVT:02;BRGRU:AA&#8221;. Both these instance provide different authorizations, hence we can say that &#8220;An authorization is an instance of an authorization object&#8221;.<\/span><\/span><\/span><\/p>\n<p><span style=\"color: #4c4c4c;\"><span style=\"font-family: verdana;\"><span style=\"font-family: verdana;\"><!--more--><br \/>\n<\/span><br \/>\n<\/span><a href=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/10\/authorization1.jpg\"><span style=\"color: #4c4c4c;\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-491 aligncenter\" title=\"authorization\" src=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2011\/10\/authorization1.jpg\" alt=\"\" width=\"859\" height=\"272\" \/><br \/>\n<\/span><\/a><\/span><!--more--><br \/>\n<span style=\"color: #4c4c4c; font-family: verdana;\"> The above screen shows an example of how authorizations are maintained in a test role. We see various color coded lines:<br \/>\n<\/span><\/p>\n<ol>\n<li><span style=\"color: #4c4c4c; font-family: verdana;\">The <span style=\"color: #0000ff;\"><strong>orange<\/strong><\/span> line represents authorization class,e.g. Human Resources (HR) in the screen above.<\/span><\/li>\n<li><span style=\"color: #4c4c4c; font-family: verdana;\">The <span style=\"color: #0000ff;\"><strong>green<\/strong><\/span> line below that represents authorization object &#8211; P_TCODE as shown above.<\/span><\/li>\n<li><span style=\"color: #4c4c4c; font-family: verdana;\">The <span style=\"color: #0000ff;\"><strong>yellow<\/strong><\/span> line (ZTEST123__00) represents instance of an authorization object i.e. it represents an authorization.<\/span><\/li>\n<li><span style=\"color: #4c4c4c; font-family: verdana;\">The <span style=\"color: #0000ff;\"><strong>pale blue<\/strong><\/span> line (TCD) represents authorization field.<\/span><\/li>\n<\/ol>\n<p><span style=\"color: #4c4c4c; font-family: verdana;\"><span style=\"font-family: verdana;\"><span style=\"font-family: verdana;\"><span style=\"font-family: verdana;\"><span style=\"font-family: verdana;\"> <span style=\"font-family: verdana;\"><!--more--><\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n<p><span style=\"color: #4c4c4c; font-family: verdana;\"><span style=\"font-family: verdana;\"><span style=\"font-family: verdana;\"><span style=\"font-family: verdana;\"><span style=\"font-family: verdana;\"><span style=\"font-family: verdana;\"><br \/>\n<\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n<ul>\n<li><span style=\"color: #4c4c4c; font-family: verdana;\">An <span style=\"color: #0000ff;\"><strong>Authorization Profile<\/strong><\/span>\u00a0can be defined as a collection of authorizations. An authorization profile is created\/maintained when a role is generated.<\/span><\/li>\n<\/ul>\n<p><span style=\"color: #4c4c4c;\">\u00a0<!--more--><\/span><\/p>\n<h3><span style=\"color: #e63518;\">We hope that this post about elements in SAP Authorization was helpful. <em><a href=\"https:\/\/sapsecurityanalyst.com\/WP\/general-disclaimer\/roles\" target=\"_blank\"><span style=\"color: #e63518;\">Please click here for further discussion on concepts of Roles.<\/span><\/a><\/em><\/span><\/h3>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"parent":38,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"_links":{"self":[{"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/pages\/285"}],"collection":[{"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/comments?post=285"}],"version-history":[{"count":28,"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/pages\/285\/revisions"}],"predecessor-version":[{"id":2133,"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/pages\/285\/revisions\/2133"}],"up":[{"embeddable":true,"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/pages\/38"}],"wp:attachment":[{"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/media?parent=285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}