SAP Access Authorization

Understanding
By Ifrahim
The Components of SAP (Access Authorization)
SAP Component - Hierarchy
Access Authorization - Profile
• An authorization profile gives users
access to the system. A profile
contains individual authorizations,
which are identified by the
authorization name and one or
more authorization objects. If a
profile is specific in a user master
record, the user has all the
authorizations defined in this profile.
Authorization Profile

• The values in this area are what

control access to transactions and
data.

• Authorization objects are divided

into Application areas

• Restrictions are set according to

objects and activities
Protecting Specific Profiles in SAP

A few profiles that need to be protected in a SAP system are −

• SAP_ALL : allows the user to perform all the tasks in a SAP system

• SAP_NEW : contains all the authorizations that are required in a new release. 

• P_BAS_ALL : This authorization allows user to view the content of tables from
other applications
Authorization

• An authorization enables you to perform a particular activity in the SAP System,

based on a set of authorization object field values
• If you change authorizations, all users whose authorization profile contains these
authorizations are affected.
As a system administrator, you can change authorizations in the following ways:
• You can extend and change the SAP defaults with role maintenance.
• You can change authorizations manually. These changes take effect for the
relevant users as soon as you activate the authorization.
Walkthrough of Authorization Checks.
Example of authorization object : Business partner
Example: HR Authorizations
One transaction potentially gives access to all HR master data (PA30). Unlike other modules,
however, access to the transaction does not grant access to the database

P_ORGIN - authorizations for HR Master Data in PA

P_ORGINCON - context sensitive authorizations for PA data

PLOG - authorizations for HR Master Data in PD

P_PCLX – authorizations for data stored in cluster

P PERNR - Personnel Number Check

 SU53
Standard mechanism for investigating authorization failures
• An administrator can run the transaction for any user
• Output will usually show which authorization object caused the failure.
Limitations:
• Shows the most recent authorization check, so must be run immediately after the
authorization failure
• Only shows the authorization object that caused the failure. Does not show all
the authorizations that would have failed, so it can be laborious working through
failures one by one
• Can give misleading results, depending on the type of failure
 ST01
Trace Setting the Trace
• Restrict the trace to ‘Authorization Check’
• Add a filter to restrict the trace to a specific user
• Click on the ‘Trace On’ button
• Click on ‘Trace off’ when the trace is completed
(the system trace affects system performance)
Trace Analysis
• Ensure that the ‘From’ and ‘To’ fields encompass
the time that the activity was carried out
Transaction SUIM
Difference between Role and Profile.
• A Role is an authorization element, which requires an authorization object(s),
which many times calls transactions, and contains a profile...it can be a single
Role, in which case it exists alone with these components, or a Composite
Role-in which case it contains 2 or more single Roles.
• The major difference between a role and a profile, is that, a role cannot
function/exist without a generated profile, but a profile can exist/function
in a users master record, without being in a role.
• This means that, when you assign a role, without a profile generated for
that role, to a user, the user will not be able to perform any activity.
• But if however you assign a profile to a user, he will be able to perform the
activities/functions, attributed to that profile.
WALK THROUGH COMPLETE ACCESS AUTHORIZATION IN SAP.