Maintaining User Authorizations with Roles and Profiles

Users can log on to a client of an SAP system if they have a user master record and they know their user name and password, and if the user type is authorized for the logon type. For example, a communication or system user cannot log on using SAP GUI.

After the users have logged on to the SAP system, they will start working productively by calling applications. As the figure Users and Authorizations shows, in the SAP system, there is an authorization check every time an application is called.

If users attempt to start an application they are not authorized to, the system rejects the user by displaying an error message. If the user starts an allowed application, the system displays the initial screen of this application. Depending on the application called, the user enters data and performs actions on this screen. There may be additional authorization checks for the data and actions to be protected.

To understand the ABAP authorization concept, and to create your own roles and authorizations, you need a basic knowledge of roles and authorization profiles in the user master record.

In an ABAP-based SAP system, actions and access to data are protected by authorization objects. The authorization objects are delivered by SAP and are included in SAP systems. To provide a better overview, authorization objects are grouped into object classes.

Authorization objects allow complex checks that involve multiple conditions that allow a user to perform an action. The conditions are specified in authorization fields for the authorization objects and are linked for the check. Authorization objects and their fields have descriptive and technical names. An authorization object can include up to ten authorization fields.

The figure Authorization Roles shows an example of authorization object User Master Maintenance: User Groups (technical name: S_USER_GRP) that protects user master records. The authorization object S_USER_GRP contains two fields: Activity (technical name: ACTVT) and User Group in User Master Record (technical name: CLASS).

An authorization is always associated with exactly one authorization object and contains the value for the fields of an authorization object. An authorization is a permission to perform a certain action in the SAP system. The action is defined on the basis of the values for the individual fields of an authorization object. In the example, Authorization A for the authorization object S_USER_GRP allows creating, changing, and displaying of all user master records that are assigned to the user group SUPER. Authorization B, in contrast, allows only the display of user master records for user groups that start with A-SUPEQ and SUPERA-Z.

Multiple authorizations can be generated out of one authorization object. Some authorizations are already delivered by SAP, but the majority are created specifically for the customer's requirements.

As illustrated by the figure Authorization Check, when a user logs on to a client of an SAP system, their authorizations are loaded in the user context. The user context is in the user buffer (in the main memory) of the application server. It can be displayed using transaction SU56.

When a user calls a transaction, the system checks whether the user has the required authorization in the individual user context for calling the selected transaction. Authorization checks use the authorizations in the user context. If you assign new authorizations to the user, the user may need to log on to the SAP system again to be able to use these new authorizations (for more information, see SAP Note 452904 – Loss of authorization after profile generation and the documentation for the parameter auth/new_buffering).

If the authorization check for calling a transaction is successful, the system displays the initial screen of the transaction. Depending on the transaction, the user can create data or select actions. When the user completes the dialog step, the data is sent to the dispatcher, which passes it to a dialog work process for processing. Authority checks (command AUTHORITY-CHECK) that are checked during runtime in the work process are built into the coding by the ABAP developers for data and actions that are to be protected. If users have all required authorizations in their individual user context for the checks (return code = 0), the data and actions are processed and the next screen is displayed. If the required authorization is missing, the data and actions are not processed and the user receives a message that the assigned authorizations are insufficient. This is controlled by the evaluation of the return code. In this case, it is not equal to 0.

All authorizations are permissions. There are no authorizations that prohibit actions. Everything that is not explicitly allowed is forbidden. You could therefore describe this as a positive authorization concept.

Role maintenance (transaction PFCG, formerly also called Profile Generator) simplifies the creation of authorizations and their assignment to users. As the figure Role Maintenance shows, in PFCG, transactions that belong together from the company's point of view are selected. Role maintenance automatically creates authorizations with the required field values for the authorization objects that are checked in the selected transactions.

A role can be assigned to a number of different users. Changes to a role therefore have an effect on multiple users. Users can be assigned various roles.

As the figure Menu Layout shows, the user menu comprises the role menu(s) and contains the entries (startable applications, URLs, reports, and so on) that are assigned to the user through the roles.

To edit the menu of a role in PFCG, enter the name of the role and choose the icon for Create or Change. Choose the Menu tab page.

Here you can select and change functions: The menu tree can be adjusted for the individual roles as required.

• You can insert startable applications such as transactions, Web Dynpo Applications or SAP Fiori objects (for example, catalogs or groups) in the tree structure and delete existing entries.

• If you choose Report in the dropdown menu for inserting, you can also integrate reports. In this case, Role Maintenance creates transaction codes (if they do not already exist) with which the reports can be called.

• If you choose the function Web address or file in the dropdown menu of the Insert Node button, you can add Internet addresses or links to files (such as tables or text files). When integrating files, you must use the storage paths instead of URLs. You can also specify SAP Business Warehouse web reports and links to external mail systems and Knowledge Warehouse.

• The authorizations for SAP Fiori applications are also created using the Role Maintenance. You can maintain authorizations for SAP Fiori Catalogs, SAP Fiori Groups and starting with SAP S/4HANA 2020 also for SAP Fiori Spaces by choosing the option SAP Fiori Launchpad in the dropdown menu of the Transaction button.

You can also change menus by creating, moving, deleting, or renaming directories and subdirectories as required. You can use the drag and drop function in role maintenance.

Role Maintenanceautomatically creates the authorizations that are associated with the transactions specified in the menu tree. However, all authorization values must be manually checked and adjusted if required in accordance with the actual requirements and authorities. The system administrator is responsible for this task, together with the appropriate user department. When using organizational levels, you do not carry out maintenance directly in the field, but by means of the Organizational levels... button.

As shown in the figure Generating Authorization Profiles, you choose the Authorizations tab page and then Display Authorization Data or Change Authorization Data, depending on the maintenance mode. Check the scope and contents of the authorizations.

If there are system proposals, a green traffic light in the authorization overview indicates that Role Maintenance has supplied at least one proposal for each authorization field. A yellow traffic light indicates that the authorization must be maintained manually after it has been created. Role Maintenance does not provide a default value for the authorization. In the example shown above, which deals with user maintenance with respect to user groups, Role Maintenance offers no suggestion about which user groups should be maintained by a user that will be assigned to this role.

Some fields appear in many authorizations. A number of important fields have therefore been combined into organizational levels, such as the company code. When you maintain an entry for the organizational level using the Organizational levels... button, you maintain all the fields that appear there at the same time. A red traffic light indicates, therefore, an unmaintained organizational level.

Once all authorizations are maintained as required, the authorization profile can be generated by choosing Generate. After creation, the profile name cannot be changed. The authorizations are grouped together in profiles. The profiles must be entered in the user master record (by role maintenance) for the authorizations to take effect for the user. This is called User Comparison.

After creation, the profile name cannot be changed. The authorizations are grouped together in profiles. The profiles must be entered in the user master record (by role maintenance) for the authorizations to take effect for the user. This is called User Comparison.

The assignment of users to roles is performed in the Role Maintenance transaction (PFCG) or in the User Maintenance transaction (SU01). Select the User tab page and the user IDs to be maintained there. When selecting user IDs, the system uses the current date as the start of the validity period of the assignment; it sets 12/31/9999 as the end date. You can change both values.

As the figure Assigning Roles to Users shows, users can be linked to more than one role. This can be useful, for example, if some activities (such as printing) are to be permissible across roles.

The assignment of roles to users does not automatically grant the corresponding authorizations to the users. To assign the authorizations, you must first perform a user comparison, during which the role's profile is entered in the user master record. This is illustrated in the figure User Comparison.

A user comparison determines whether authorization profiles should be added to or removed from the current user on the basis of the individual role assignment. During a comparison, profiles are added to a user master record due to roles that have been added. If role assignments are removed manually or time-dependently, the corresponding authorization profiles are deleted from the user master record.

The comparison can be performed individually for each role. For this, select the role in Role Maintenance (transaction PFCG), choose the User tab page, and choose User comparison. In the dialog box that the system displays, choose Complete comparison.

If you have to update multiple role assignments, you can perform a corresponding comparison in Role Maintenance by choosing Utilities → Mass comparison (transaction PFUD). You can specify the desired roles individually, or update all assignments by entering the asterisk (*) character.

You can also activate the periodic user master record comparison in transaction PFCG by choosing Utilities → Mass comparison. Choose the option Schedule or check job for full reconciliation. The system then displays a search window for the background job PFCG_TIME_DEPENDENCY. If it does not find an appropriate job, you can create a new one. The default value is that all user master records are compared once each day.