Organizing the Maintenance of the Authorization System SAP BASIS

The SAP authorization system offers many options for organizing the administration of users, authorizations, and profiles, making it quite flexible when defining roles. Depending on the type, size, and security restrictions, an installation can have a single superuser for all users and authorization system maintenance to several decentralized administrators with different maintenance functions and limited authorizations. SAP recommends that for enforcing maximum system security customers divide the maintenance of the user and authorization system among three types of users:

  • User administrators. They are in charge of creating and modifying user master records. User administrators can set user parameters, edit the list of assigned profiles, and so forth. User administrators cannot create or activate roles, authorizations or profiles. User administrators can be further divided by assigning them authorization maintenance to certain user groups.
  • Authorization administrators. These users are able to define or modify roles, authorizations and profiles; however, they are not permitted to activate authorizations or profiles. Authorization administrators only work with active versions of authorizations and profiles.
  • Activation administrators. They are in charge of activating profiles and authorizations. This type of administrator is no longer able to change the authorizations or profiles but can only activate existing revised versions of profiles and authorizations.

Dividing the maintenance responsibilities among different administrators can increase the security of the system against unwanted actions over user master records, authorizations, and profiles. Another advantage is the decentralization of the user administration. In big installations with hundreds of users, it can be a good practice to divide up user maintenance functions by department, building, regional office, and so forth. To implement these administrative roles, the superuser uses authorizations to limit which user groups are maintained by user administrators and which authorizations and profiles can be maintained or activated by which administrators.

Because the superuser can limit and restrict the access rights, the decentralized administrators do not need to be high-level technical staff. They can be normal company users. As a superuser, you can define new profiles for these administrators using the standard S_A.ADMIN profile as a template and changing the allowed field values corresponding to authorization objects such as user group, authorizations, authorization profiles, and mainly setting the Activity field values.

Refer to the SAP online documentation in the "Users and Authorization" help file for details on setting values for dividing up administrative roles.

Creating New Authorization Checks

Although the SAP Web Application Server systems includes virtually all authorization objects and checks to test whether users can access the system functions, customers might add new development objects and functions to extend the system capabilities. In such cases, customers might also need to include a new authorization check. SAP provides several ways to include new authorization checks for custom-developed objects or transactions, the most important being:

  • By programming the authorization check using the ABAP standard statement AUTHORITY-CHECK
  • By assigning authorization groups to tables, maintaining table TDDAT, and using authorization object S_TABU_DIS
  • By using authorization object S_PROGRAM and using program authorization groups by maintaining table TPGP For specific details about these procedures, please refer to the SAP online documentation.

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd Protection Status