Professional Documents
Culture Documents
March-2007
March-2007
Authorization objects
Profiles
Roles
Users
SAP/Introduction to Elements Of Authorization
March-2007
Auth Object
USER
TRANS 1
Auth Object
REPORTS
TRANS 2
Authorization1#
ROLES
Authoization2#
Authorization3#
Profiles
March-2007
An Auth. Object class can contain multiple objects which are subsequently required for
gaining access to run certain activities. Eg:- executing
transactions and reports
March-2007
March-2007
March-2007
March-2007
March-2007
10
March-2007
11
March-2007
12
March-2007
QUESTIONS???
13
March-2007
ELABORATE ON AUTHORIZATION
CONCEPTS,AUTHORIZATIONS,PROFILES & ROLES
March-2007
15
March-2007
AUTH OBJECT B
AUTH 1 (User1)
AUTH 2
(User2)
USER1
USER PROFILE
USER PROFILE
COMP. PROFILES
ROLES
16
March-2007
17
March-2007
AUTH. OBJECT
Auth. Object is a collection of Fields and Field Values which comprises of the authorizations.
Each Object can contain a maximum of 10 fields depending upon the transaction and each
field can contain multiple values. Each combination of field values consists of an
authorization.
Authorization objects are primarily used for security level checks done on transaction prior to
execution. Whether the user has suitable authorizations for running the transaction is found
out by comparing field values present within the user Buffer and the allowable field value of
the object.
18
March-2007
19
March-2007
PROFILES
Profiles consist of user authorizations of multiple Authorization objects belonging to various
Authorization object classes. Since profiles are directly mapped into roles to which users are
associated in the user master record, it contains authorization data from various auth.
Objects belonging to different classes.
Authorization profiles give users access to the system. They contain authorizations, which
are identified using the name of an authorization object and the name of an authorization. If
a profile is specified in a user master record, the user is assigned all of the authorizations
defined in this profile.
Eg:
SAP_ALL
SAP_NEW
P_BAS_ALL
20
March-2007
PROFILES (Contd.)
Other S_xxx Profiles-- The profiles described in the following are simply models. In general,
the settings for the individual objects in these profiles must be restricted on a function basis.
They are as follows: S_A.SYSTEM
S_A.ADMIN
S_A.CUSTOMIZ
S_A.DEVELOP
S_A.DOKU
S_A.USER
S_ENT_IMG_GE
S_WF_ALL
21
March-2007
ROLES
ROLES
R/ System security is Role Based.
Roles are templates which contains authorizations and to which users are assigned so that the
user is able to execute all those transactions and reports detailed under that role.
Role-based security is a form of user-level security where the application doesn't focus on the
individual user's identity; but rather on a logical role they occupy.
The application can query these Groups (through the Authority Check process) and make security
decisions based on the group's Authorization Object settings. For example, if access to a particular
transaction is restricted to members of the HR Admin Role, a local group called HR_Admin can be
created to represent that role.
Describes the activities of a user and allows the display of user-specific menus in the SAP system.
Predefined or self-created roles can be assigned to any number of users. Roles also contain the
authorizations with which users can access the reports, Web-based applications that are contained
in the menu.
22
March-2007
ROLES (Contd..)
23
March-2007
AUTHORIZATIONS
Authorizations are the key building blocks of SAP security. Authorization is the process of
assigning values to fields present in authorization objects. Sometimes users find that they
lack the necessary authorizations to perform a certain function in the system, in which case
the message: "You are not authorized..." is displayed at the bottom of the screen.
24
March-2007
AUTH 1
AUTH 2
ACTVT = Create
ACTVT = View
PROFILE 1
COMPOSITE PROFILE
PROFILE 2
25
March-2007
QUESTIONS???
26
March-2007
March-2007
28
March-2007
29
March-2007
30
March-2007
31
March-2007
QUESTIONS ???
32
March-2007
March-2007
34
March-2007
35
March-2007
The System level checks are performed at the initiation of a transaction while the
Program level check takes place only after the Kernel level checks are successful.
36
March-2007
37
March-2007
38
March-2007
39
March-2007
Corresponding field values for each of the fields present within the object and only if
allowable combination of field values are found, then the transaction is allowed to run or
else it stops generating an error message.
40
March-2007
0- User has got access to the auth object as well as to the right field values. So he/she
can continue to execute the transaction
4- User has the authorization for the auth object/objects required for executing the
transaction, but the field values do not match and the user can not continue further.
12- User does not have any kind of authorization for the object and therefore cannot be
allowed to run the transaction.
16- No profile mapped o the corresponding user can be found in the user master record.
41
March-2007
42
March-2007
QUESTIONS???
43
March-2007
March-2007
45
March-2007
46
March-2007
47
FIELD
VALUE
TCD
PFCG
March-2007
48
March-2007
QUESTIONS ???
49
March-2007
March-2007
EXCEPTIONS TO S_TCode
Objectives
Detailed discussion on the exceptions to S_Tcode
51
March-2007
EXCEPTIONS TO S_TCode
The check is not performed in the following cases:
You have deactivated the check of the authorization objects for the transaction (with transaction
SU24) using check indicators, that is, you have removed an authorization object entered using
transaction SE93. You cannot deactivate the check for objects from the SAP Net Weaver and
HR areas.
This can be useful, as a large number of authorization objects are often checked when
transactions are executed, since the transaction calls other work areas in the background. In
order for these checks to be executed successfully, the user in question must have the
appropriate authorizations. This results in some users having more authorization than they
strictly need. It also leads to an increased maintenance workload. You can therefore deactivate
authorization checks of this type in a targeted manner using transaction SU24.
You have globally deactivated authorization objects for all transactions with transaction SU24 or
transaction SU25.
52
March-2007
EXCEPTIONS TO S_TCode
In order the entries that have been made with transactions SU24 and SU25 to become
effective, you must set the profile parameter AUTH/NO_CHECK_IN_SOME_CASES to Y
(using transaction RZ10).
53
March-2007
EXCEPTIONS TO S_TCode
QUESTIONS ???
54
March-2007