SAP Authorization Concept

The SAP authorization concept protects transactions, programs, and services in SAP systems from
unauthorized access. On the basis of the authorization concept, the administrator assigns authorizations to the
users that determine which actions a user can execute in the SAP System, after he or she has logged on to the
system and authenticated himself or herself.
To access business objects or execute SAP transactions, a user requires corresponding authorizations, as
business objects or transactions are protected by authorization objects. The authorizations represent instances
of generic authorization objects and are defined depending on the activity and responsibilities of the
employee. The authorizations are combined in an authorization profile that is associated with a role. The user
administrators then assign the corresponding roles using the user master record, so that the user can use the
appropriate transactions for his or her tasks.
The following graphic shows the authorization components and their relationships.

Explanation of the Graphic

Term

Explanation

User master record

These enable the user to log onto the SAP System and allow access to the
functions and objects in it within the limits of the authorization profiles specified
in the role. The user master record contains all information about the

Term

Explanation
corresponding user, including the authorizations.
Changes only take effect when the user next logs on to the system. Users who
are logged on when the change takes place are not affected in their current
session.

Single role

Composite role
Generated authorization
profile
Manual authorization
profile

Is created with the profile generator and allows the automatic generation of an
authorization profile. The role contains the authorization data and the logon
menu for the user.
Consists of any number of single roles.
Is generated in role maintenance from the role data.
To minimize the maintenance effort if you are using authorization profiles, do
not usually enter single authorizations in the user master record, but rather
authorizations combined into authorization profiles. Changes to the
authorization rights take effect for all users whose user master record contains
the profile the next time they log on to the system. Users who are already
logged on are not immediately affected by the changes.
We strongly recommend that you do not assign profiles manually, but rather do
so automatically with the profile generator.

Authorization

Definition of an authorization object, that is, a combination of permissible values

in each authorization field of an authorization object.
An authorization enables you to perform a particular activity in the SAP System,
based on a set of authorization object field values.
Authorizations allow you to specify any number of single values or value ranges
for a field of an authorization object. You can also allow all values, or allow an
empty field as a permissible value.
If you change authorizations, all users whose authorization profile contains
these authorizations are affected.
As a system administrator, you can change authorizations in the following ways:

You can extend and change the SAP defaults with role maintenance.
You can change authorizations manually. These changes take effect for
the relevant users as soon as you activate the authorization.

The programmer of a function decides whether, where and how authorizations

are to be checked. The program determines whether the user has sufficient
authorization for a particular activity. To do this, it compares the field values
specified in the program with the values contained in the authorizations of the
user master record.
The line of the authorization is colored yellow in the profile generator.
Authorization Object

An authorization object groups up to ten fields that are related by AND.

An authorization object allows complex tests of an authorization for multiple
conditions. Authorizations allow users to execute actions within the system. For
an authorization check to be successful, all field values of the authorization
object must be appropriately maintained in the user master.

Term

Explanation
Authorization objects are divided into classes for comprehensibility. An object
class is a logical combination of authorization objects and corresponds, for
example, to an application (financial accounting, human resources, and so on).
The line of the authorization object class is colored orange in the profile
generator.
For information about maintaining the authorization values, double click an
authorization object.
The line of the authorization object is colored green in the profile generator.

Authorization fields

Contains the value that you defined. It is connected to the data elements stored
with the ABAP Dictionary.