The Authorization System in SAP WAS SAP BASIS

The authorization system of the SAP system is the general term that groups all the technical and management elements for granting access privileges to users to enforce the SAP system security. An access privilege is permission to perform a particular operation in the SAP system. Access privileges in SAP systems are granted to users by assigning them authorizations, profiles or roles. By entering such roles and profiles in user master records, you enable users to use the system.

The main features and concepts of the SAP authorization system can be summarized as follows:

  • The authorization system is based on complex system objects with multiconditional testing of system access privileges. The authorization system tests multiple conditions before granting users the permission to perform a task in the system. A multiconditional access test is defined in an authorization object. A multiconditional testing is, for example, to allow users to create, display, or delete information from one purchasing center, but only display information in another purchasing center. The following list shows this concept:

  • The authorization system uses authorization profiles and roles, together with the Role Maintenance (former Profile Generator) tool, to make the maintenance of the user master records easier. Authorization profiles are groups of authorizations. Instead of entering every authorization in the user master records, administrators only have to enter either roles, profiles, or both.
  • Authorization profiles can be either simple or composite. Composite profiles contain other profiles.
  • The authorization system uses an activation method. When authorization or profiles are created or modified, they must be activated to become effective.
  • The SAP authorization system provides mechanisms for the distribution of the maintenance tasks related with users and access privileges, such as assigning authorizations, roles, activating profiles, managing new authorizations, and so on. These tasks can be done by a single superuser or they can be divided among several administrators.

SAP systems include many predefined authorizations, profiles, and roles that cover most of the usual needs for assigning access privileges to users. Before creating a new role or profile, you should try to use an existing predefined one. The complex objects of the SAP authorization system are structured in a hierarchical but flexible way. The next section introduces the main elements of the authorization system.

Hierarchy of authorization system

Hierarchy of authorization system

In order to aid understanding of the authorization system, basic concepts are explained first. Then the manual procedure for creating profiles and authorizations is introduced, and finally the Role Maintenance tool and how to work with it are covered.

Authorization Profiles

An authorization profile contains a group of authorizations, that is, a group of access privileges. Profiles are assigned to users in the user master records. A profile could represent a simple job position since it defines the tasks for which a user has access privileges. Every profile might have as many access privileges (authorizations) as desired. Profiles can contain authorization objects and authorizations.

Changing the list or contents of the authorizations inside a profile affects all users that are given that profile when this is activated. It becomes effective the next time the user logs on. The change is not effective for users currently logged on.

Composite Profiles

Composite profiles are sets of authorization profiles, both simple and composite. A composite profile can contain an unlimited number of profiles. They can be assigned to users just as profiles in the user master records are. Composite profiles are suitable for users who have different responsibilities or job tasks in the system. These profiles are sometimes known as reference profiles for assigning a larger group of access privileges and having the possibility to better match users with several responsibilities.

Making modifications to any of the profiles in the list included in the composite profile directly affects the access privileges of all users having that composite profile in the user master record. When displaying profiles on the different SAP screens, there is a description indicating whether the profile is simple or composite.


The SAP system uses authorizations to define the permitted values for the fields of an authorization object. An authorization might contain one or more values for each field of the authorization object. An authorization object is like a template for testing access privileges, consisting of authorization fields that finally define the permitted values for the authorization. Both authorization objects and fields are explained in the next two sections.

An authorization is identified with the name of an authorization object and the name of the authorization created for the object. An authorization can have many values or ranges of values for a single field. It is also possible to authorize for every value (by entering an asterisk, *) or for none (by leaving the field blank).You can see that for the object, Batch processing: Batch administrator, there are several authorizations. Each of these authorizations can have different values for the authorization fields within the object.

Example of authorization list for an authorization object

Example of authorization list for an authorization object

Authorizations are entered in authorization profiles with the corresponding authorization object. When an authorization is changed and then activated, it immediately affects all users having a profile containing that authorization in their user master records. The technical names for authorizations and authorization objects have a maximum of 12 positions, but usually they are displayed in the system using short descriptive texts. For customer-created authorizations, the only name restriction is to not place an under score in the second position of the technical name. Additionally, every customer-created system object should comply with SAP standard style guide and begin either with a Z or a Y to distinguish it from the SAP original objects, thus avoiding the possibility of being overwritten by a system upgrade.

Authorization Objects

An authorization object identifies an element or object within the SAP system that needs to be protected. These objects work like templates for granting access rights by means of authorization fields that allow for performing complex tests of access privileges. An authorization object can contain a maximum of 10 authorization fields. Users are permitted to perform a system function only after passing the test for every field in the authorization object. The verification against the field contents is done with the logical AND operator. With this mechanism, the system can perform multiconditional tests. As with authorizations, when maintaining authorization objects, the system does not display the names but descriptive text for each object.

Authorization objects are grouped in object classes belonging to different application areas that are used to limit the search for objects, thus making it faster to navigate among the many SAP system objects. SAP predefined authorization objects should not be modified or deleted, except if instructed by the SAP support personnel or a SAP note. Deleting or changing standard authorization objects can cause severe errors in the programs that check those objects. Before an authorization object is modified, all authorizations defined for that object must first be deleted.

If you want to use the OR logic to give users access to certain functions, you can define several authorizations for the same object, each time with different values. In the user master records, you assign each of these profiles, which are linked with the OR login. So, when the system tests whether the user has access privileges, it checks each authorization to see if the assigned values comply with the access condition. The system allows access with the first authorization that passes the test.

Authorization Fields

Authorization fields identify the elements of the system that are to be protected by assigning them access tests. An authorization field can be, for example, a user group, a company code, a purchasing group, a development class, or an application area. There is one authorization field that is found in most authorization objects which is the Activity. The Activity field in an authorization object defines the possible actions that could be performed over a particular application object. For example, activity 03 is always Display, so if an authorization contains two fields such as company code and activity and if the company code field is * (meaning all company codes), the user with that authorization can only display the company codes.

The list of standard activities in the system is held on the SAP standard table TACT, which can be displayed using standard transactions such as SM30 (Extended Table Maintenance), or SE16 (Data Browser). The relationship between the authorization objects and the activities is held in table TACTZ. Not all authorization objects have the Activity authorization field. Authorization fields are the components of authorization objects as stated previously. And also, fields are part of the standard ABAP function call AUTHORITY-CHECK.

When maintaining authorizations, the system does not display the real names (technical names) for the fields; instead it shows a description for each field. Table TOBJ contains the fields that are associated with each authorization object; this is how the SAP system knows which fields belong to an authorization object. The fields in an object are associated with data elements in the ABAP data dictionary.

Authorization fields are not maintained from the user maintenance menu, but have to be defined within the development environment. Normally users do not need to change standard authorization fields, except if adding or modifying system elements and they want those elements to be tested with authorizations.


Roles form a set of tasks or activities that can be performed in the system, such as running programs, transactions, as well as access to Web sites, files and other functions that generally represent job roles. When you assign roles to users, the system will automatically present a specific menu for that role when the users log on to the SAP system. The roles and the information they include are what makes the profiles able to be automatically generated.Roles are the basic components needed for working with the Role Maintenance tool (transaction PFCG), based on the Profile Generator, which uses them to generate authorization profiles. You can also access the Role Maintenance tool, by clicking on the Create Role button on the application toolbar from the initial SAP Easy Access screen.

Roles resemble a job description, such as sales representative, accountant, treasurer, system administrator, and so on. Roles can include as many single system activities as needed. Single system activities can be transactions, reports and access to other types of objects such as Web sites, files, BSPs, and others. Role administrators select transactions or reports from a menu tree or can select authorizations and save this information as an activity group. This selection is used by the profile generator for determining the necessary authorizations and generating the profiles, which can then be assigned to users.

You can also assign roles to organizational objects, such as organizational units, jobs, positions, users, and so on. This can be done with the Organizational Management pushbutton, but you will only see this function if you have defined what it's known as an active plan variant, which is configure through the Customizing of HR. Please refer to the SAP online help for guidance on how to set up Roles for Organizational Management in HR. User master records can be assigned to one or more roles. When this type of assignment takes place, the updating of the user master records can be performed manually or automatically by running a background job. When this happens, the system combines the functions in the user menu when she or he logs on.

Roles can be temporarily assigned to users, which means that they can have multiple validity periods that cannot overlap. Date dependency assignment of profiles to user master records can be enforced by scheduling background jobs for that purpose.

User Buffers

User buffers are special areas (tables) containing all the authorizations for the user. These buffers are specific for individual users, and are actually built when the users log on, based on the authorizations contained in the profiles included in the user master record. When users try to perform activities in the system, the application programs and transaction are checked against the authorization objects and values contained within the user buffer. The number of entries in the user buffer can be controlled using the profile parameter auth/new_buffering.

You can see the context of the user buffer by selecting Tools | Administration | Monitor | User Buffer from the main menu, or by running transaction SU56.

The Activation Concept In Profiles and Authorizations

The authorization system allows two versions of authorizations or profiles: an active version and a modified, or maintenance, version. A new or modified authorization or profile cannot be used until it has been activated, since user master records can only contain active versions of profiles. The activation concept is useful for preventing mistakes when creating new authorizations or modifying existing ones, since the maintenance versions will not affect the system. It is also helpful for dividing the maintenance tasks among several users.

For example, some users can define or edit authorizations, while an activation administrator can be in charge of activating the maintenance versions previously created. The system verification for access privileges is only performed against active versions. Active versions are the only ones that have real effect in the system. When administrators create or modify an authorization or a profile, then they are working with a maintenance version. In this state, the system displays the status Revised in the header of the authorization or profile being modified. When the activation is performed, the maintenance version becomes the active one and replaces automatically the existing version if it exists. The system changes the status to Active.

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd Protection Status