Tell us what you think

We want to create the best possible experience for our learners. Your feedback helps us to improve the experience for everyone.

Explaining Elements and Terminology of the ABAP Authorization Concept

Objective

After completing this lesson, you will be able to understand SAP authorization elements and terminology.

Overview of the Terms and Elements in the Authorization Concept

Diagram on overview of the elements of the SAP Authorization concept.

Authorization object class: A logical grouping of authorization objects (for example, all authorization objects for object class FI beginning with "F_").

Authorization object: Groups of 1 to 10 authorization fields together. These fields are then checked simultaneously (example: F_LFA1_APP, vendor: application authorization).

Authorization field: The smallest unit against which a check is to be run (ACTVT, APPKZ).

Authorization: An instance of an authorization object, that is, a combination of allowed values for each authorization field of an authorization object.

Authorization profile: Contains instances (authorizations) for different authorization objects.

Role: Generated using Role Maintenance (transaction PFCG), and allows the automatic generation of an authorization profile. A role describes the activities of an SAP user.

User/user master record: Used for logging on to SAP systems and grants restricted access to functions and objects of the SAP system based on authorization profiles.

Naming conventions for customer developments (see SAP Notes 20643 and 16466):

Authorizations and authorization profiles are Customizing objects and must therefore not be in the customer namespace (Y, Z). They must not include an underscore in the second position.
Authorization classes, objects, and fields are development objects and must begin with Y or Z (customer namespace).

Authorization Fields, Objects, and Object Classes

Example:

The authorization fields BUKRS (company code) and ACTVT (activity) are used in the following authorization objects, among others:

M_RECH_BUK: Authorization to release blocked invoices for specific company codes.
F_BKPF_BUK: Authorization to edit documents for specific company codes.
F_KNA1_BUK: Assignment of the activities allowed in the company code-specific area of the customer master record.

In the authorizations for each authorization object, you can specify which activities (such as create, change, display, and so on) may be performed in which company code. Each object has a specific number of allowed activities, which are described in the object documentation.

All possible activities (ACTVT) are stored in table TACT (transaction SM30).

The valid activities for each authorization object can be found in table TACTZ (transaction SE16).

Hint

Every customer can create their own authorization object classes, authorization objects, and authorization fields.

Authorization

Example:

Authorization "A" allows the user to perform the activities create, change, and display in company codes 1000 and 2000.
Authorization "B" allows the user to perform only the display activity in company codes 1000, 2000, and 3000.

If the user has authorization "A" and authorization "B", they work together. This means that the user can perform the create, change, and display activities in company codes 1000 and 2000, but can only perform the display activity in company code 3000.

Authorizations and Authorization Profiles

Table displaying the authorization objects and respective authorizations of three work centers.

You can define several different authorizations for an authorization object. This means that an authorization object has various instances.

Example: Authorization object F_BKPF_BUK has the following authorizations:

Work center 1: Authorized to create, change and display documents in company code 2000.
Work center 2: Authorized to create, change and display documents in company code 1000.
Work center 3: Authorized to display documents in company code 1000.

You can assign multiple authorizations to a work center. Grouped together, these authorizations are called an authorization profile.

Example: Work center 2 has the following authorization profile:

Authorization to execute transaction code FB02 and FB03.
Authorization to create, change, and display documents in company code 1000.
Authorization to create, change, and display documents in business area 2000.
Authorization to change and display document items for the accounts receivable account type.

Roles and Authorization Profiles

Diagram showing the elements of a role for two roles A1 and Z1.

To provide users with user-specific menus after they have logged on to an SAP system, you use roles. These are defined using Role Maintenance.

A role is a set of functions, also known as activities, describing a specific work area. The "Accounts Receivable Accountant" role, for example, contains transactions, reports, and/or Internet/Intranet links that an accountant needs for his or her daily work.

In the role, you organize transactions, reports, or Web addresses in a role menu.

A large number of roles (>1200) are delivered with the standard SAP R/3 System. Before you define your own roles, check if one of the user roles delivered as part of the standard SAP R/3 System can be used.

Hint

Note that the predefined roles are delivered as templates, and begin with the prefix "SAP_".

For a user to receive authorizations, you must first maintain authorization data.

You can then generate the authorization profile, and the role is complete.

Hint

SAP strongly recommends the automatic creation of authorization profiles in the form of roles using Role Maintenance. You should only use manual authorization profiles in exceptional cases.

A role can be assigned to any number of users. Through the role, you also assign the authorizations that users need to access the transactions, reports, and so on, contained in the menu.

This user menu appears when the user to which the authorization profile was assigned logs on to the SAP system. A user menu consists of the role menus of the assigned roles. It contains the activities that are required by a group of users for their work area.

Roles and the Easy Access Menu

Screenshot of SAP Easy Access - User menu for ADM940.

The new SAP Easy Access menu provides a user-specific point of entry into the SAP system.

The user menu (created from multiple role menus) contains only those transactions, reports, and Web addresses needed by the users for their daily work processes.

The user menus can be and are often created with Role Maintenance using composite roles.

For users with system administrator authorization, the SAP Easy Access menu provides some additional functions for:

Creating roles
Calling menus for roles and assigning them to users

To use these extended functions, you need authorizations for the following authorization objects:

authorization object	Value
S_USER_TCD	PFCG
S_USER_PRO	*
S_USER_AUT	*
S_USER_GRP	*

Practice System Exercise: Display Authorization Information of the Authorization Concept(ABAP)

Note

If you have access to a practice system, you can now execute this exercise.

Task 1: Access the Training System Landscape

Steps

Log in to your Training Landscape
Follow the guidance of your instructor.
Log on to the SAP GUI on the training system T41 as user ADM940-##.
1. Start SAP Logon.
2. Select system T41 and choose Log On.
3. Enter ADM940-## in the User field.
4. Enter the initial password Welcome1 in the Password field.
5. Enter your log-on language (EN or DE) in the Language field.
6. Choose Enter.
7. Enter a password of your choice in the New Password and the Repeat Password fields.
8. Choose Transfer (Enter).
9. Choose Continue (Enter).

Task 2: Display the Master Record of User ADM940-##.

Display the master record of user ADM940-##.

Steps

Are roles assigned to the user? If yes, which ones?
______________________ ,
______________________ ,
______________________ ,
______________________ .
1. SAP Menu: Tools → Administration → User Maintenance → Users, "SU01".
  Enter ADM940-## and choose Display (F7).
2. Select the Roles tab page.
  Yes:
  ADM940_DEMO_MENU
  ADM940_DISPLAY
  ADM940_PLUS
  ADM940_USER
Is an authorization profile assigned to the user? If yes, which one/s?
______________________ ,
______________________ ,
______________________ ,
1. Choose the Profiles tab page.
  Yes:
  Profile for role ADM940_DISPLAY (many)
  Profile for role ADM94_PLUS
  Profile for role ADM94_USER

Task 3: Display the Details for an Authorization Profile

Steps

Display the details for the authorization profile for role ADM940_PLUS.
Hint
Double-click the profile name to go to the detail screen of the authorization profile.
Expand the tree structure of the authorization profile.
Do you have authorizations for the following authorization objects?
- F_BKPF_BUK? _____
- PLOG? _____
- S_TCODE? _____
- S_USER_GRP? _____
From the detail screen of the authorization profile, go back to the display of the user master record.
Exit the transaction.
1. Double-click the profile name to go to the detail screen of the authorization profile.
  Expand the tree structure of the authorization profile.
  Authorization for authorization object:
  - F_BKPF_BUK? No.
  - PLOG? No.
  - S_TCODE? Yes.
  - S_USER_GRP? Yes.
Which authorization fields does the object S_USER_GRP consist of?
____________________________________
____________________________________
1. Authorization fields for the authorization object S_USER_GRP:
  ACTVT Activity
  CLASS User group in user master maintenance
Which authorization values do you have for the authorization object S_USER_GRP?
Authorization combination 1:
Field 1) ___________________ Field 2) ___________________
Authorization combination 2:
Field 1) ___________________ Field 2) ___________________
1. Authorization values for the authorization object S_USER_GRP:
  Authorization combination 1) :
  Field 1: ACTVT: 05, Field 2: CLASS: Z*.
  Authorization combination 2) :
  Field 1: ACTVT: 03, 08, Field 2: CLASS: *.
2. From the detail screen of the authorization profile, go back to the display of the user master record.
3. Exit the transaction.

Task 4: Analyze Authorization Objects Using the User Information System

Display various authorization information in the User Information System.

Steps

Navigate to the User Information System in the SAP Menu.
1. SAP Menu: → Tools → Administration → User Maintenance → Information System folder.
Select the authorization object S_USER_GRP.
1. Expand the structure for the Authorization Objects node, and select the report Authorization Objects - By Object Name, Text by double-clicking it.
2. Enter S_USER_GRP in the Authorization Object field.
3. Choose Execute (F8).
4. Double click Object S_USER_GRP.
To which authorization object class is the authorization object S_USER_GRP assigned?
1. You are in the pop up: Display Authorization Object. Which content has the field Class?
  The Authorization object class for authorization object S_USER_GRP is: BC_A, Basis Administration.
Display the documentation for this authorization object and find out in which transactions the authorization object is checked, and what activities are possible.
In which transactions is the authorization object checked?
_______________________; _______________________; _______________________; _______________________; _______________________; _______________________;
What activities are possible?
___________; ___________; ___________; ___________; ___________; ___________; ___________; ___________; ___________; ___________;
1. Select the authorization object and choose the Display Object Documentation button.
2. Transactions with integrated check of S_USER_GRP:
  "SU01", "SU10", "SU12", "PFCG", "SUUM", "SUUMD".
3. Possible values for the Activity field:
  01: Create
  02: Change
  03: Display
  05: Lock, Unlock
  06: Delete
  08: Display Change Documents
  22: Add Users to Roles
  24: Archive
  36: Extended Maintenance
  50: Move
  78: Assign
  68: Model
  PP: Set Productive Password
  F4: Address data display in input help
4. Exit the report Authorization Objects by Object Name, Text and go back to the SAP Easy Access menu.
Search for authorization whose names begin with S_USER?
1. In the Information System, under the Authorization Objects node, double-click the report Authorization Objects - By Object Class.
2. Choose the All Selections icon (Shift+F7).
3. Enter S_USER* in the Authorization Object field.
4. Enter BC_A in the Object class field.
5. Choose Execute (F8).
How many authorization objects have a name that begins with S_USER?
____________________
1. Analyze the list of authorization objects.
  Number of authorization objects that begin with S_USER:
  17 Authorization objects
Find out about the authorization object S_USER_TCD by displaying the documentation.
What is controlled with this authorization object?
_________________________________________________________
_________________________________________________________
_________________________________________________________
Which authorization field(s) does the object consist of?
____________________
1. In line with the authorization objectS_USER_TCD, double-click the Information button (i).
2. Read the displayed information.
  Definition for authorization object S_USER_TCD:
  Authorization objects control the transactions that system administrators can assign to a role, as well as the transactions for which they can assign transaction code authorization (object S_TCODE). Note that in the Profile Generator, you can only maintain intervals of transactions if you have full authorization S_USER_TCD for authorization object S_TCODE. Otherwise you can only maintain individual values for the object S_TCODE.
  Defined fields:
  TCD: Transactions that administrators may assign to roles and for which they may assign authorization to start a transaction in Role Maintenance.
3. Exit the report and return to the SAP Easy Access menu.

Task 5: Analyze the Role ADM940_SD_SALES Using the User Information System

Steps

Navigate to the User Information System in the SAP Menu.
1. SAP Menu: → Tools → Administration → User Maintenance → Information System folder.
Use Report Roles by Complex Selection Criteria node → By Role Name with the role ADM940_SD_SALES.
1. Expand the structure for the Roles node, then expand the structure for theRoles by Complex Selection Criteria node, and choose the report By Role Name by double-clicking it.
2. Enter ADM940_SD_SALES in the Role field.
3. Choose Execute (F8).
Display the transaction assignment for the role.
Do these roles allow you to start transactions that start with "X"?
____________________
Does this role provide authorization to call transaction VA03?
____________________
Does this role provide authorization to call transaction MM03?
_____________________
1. Display the transaction assignment of the role by selecting the line with the role name and choosing the button Transaction Assignments (Ctrl+Shift+F6).
  Do these roles allow you to start transactions that start with "X"?
  Yes.
  There are three transactions (XD01; XD02; XD03).
  Does this role provide authorization to call transaction VA03?
  Yes.
  Does this role provide authorization to call transaction MM03?
  No.
2. Exit the report and return to the initial Information System screen.

Next lesson