Implementing the ABAP Roles for On-Premise/Private Cloud

Objective

After completing this lesson, you will be able to implement the ABAP roles for the On-Premise/Private Cloud.

Authorization Objects and Authorization Checks

In this lesson, you will learn about the authorization concept for the On-Premise/Private cloud. With this knowledge, you will learn how to implement ABAP roles.

As you explored the roles, authorization profiles, and user master records in the previous lesson, you will now discover the ABAP authorization concept. In SAP's authorization framework, authorization object classes, objects, and fields all play crucial roles, but they operate at different levels of hierarchies and specificity. Here's a detailed breakdown.

For example, the authorization object S_USR_GRP relates to the user group in master record maintenance.

The important terminologies in the authorization concepts are as follows:

  • Authorization Object Class: This high-level category groups related authorization objects for better organization and easier management.
  • Authorization Object: An authorization object is a specific, predefined set of authorization fields that define a particular combination of conditions required for access control.
  • Authorization Field: The Authorization Object is subdivided into groups of fields. These individual fields specify the detailed conditions for access.

Authorization objects protect actions and access to data in an ABAP-based SAP system. SAP delivers the authorization objects in SAP systems.

Putting It All Together

Example Scenario:

Suppose, a role needs to be created to allow certain admins to maintain user records within a specific user group "SUPER". Below are the components in restricting the roles authorizations

  1. Authorization Object Class: BC_A (Basis-Administration)
  2. Authorization Object: S_USER_GRP (User Master Maintenance: User Groups)
  3. Authorization Fields:
    • CLASS (User Group in User Master Maintenance): SUPER (The specific User Group to allow access)
    • ACTVT (Activity): 01 (Create), 02 (Change), 03 (Display

The purpose of the authorization object class is to organize the management of numerous authorization objects by grouping them into logical categories. For example, an authorization object class could relate to sales and distribution, finance, human resources, or any other functional area within the SAP system. This grouping helps make the security and authorization structure more understandable and easier to maintain.

Authorization objects are divided into various authorization object classes to provide a better overview of the impacted functions and components within the system. An authorization object class is a way to group logically related authorization objects. These classes help simplify and organize the management of authorizations in the SAP system by categorizing them based on their functionality or application areas.

Authorization objects encapsulate a set of authorization fields defining specific access rights. These fields hold values that determine a user's level of access to certain SAP functionality or data.

An authorization field is always associated with precisely one authorization object. Authorization is permission to perform a specific action in the SAP system.

The action is defined based on the values for the individual fields of an authorization object. For example, Authorization B in the figure for the authorization object S_USER_GRP allows the display of all user master records that are not assigned to the user group SUPER. Authorization A, however, enables the maintenance and display of records for this user group.

Multiple authorizations can be created for one authorization object. SAP delivers most authorizations with SAP default values, which can be amended to meet customer requirements. Also, authorizations can be designed specifically for custom application requirements.

Authorization Check

When a user logs on to an SAP system client, their authorizations are loaded in the user context. The user context is in the application server's user buffer (query using transaction SU56) in the main memory.

When the user calls a transaction, the system checks whether the user has authorization in the user context that allows them to call the selected transaction. Authorization checks use the authorizations in the user context.

If you, as an administrator, assign new authorizations to the user, the user must log on to the SAP system again to use them. (For more information, see SAP Note 452904 and the parameter auth/new_buffering documentation: https://me.sap.com/notes/452904).

If the authorization check for calling a transaction was successful, the system displays the initial screen of the transaction. Depending on the transaction, the user can create data or select actions.

ABAP developers build authority checks (AUTHORITY-CHECK) into the program code to protect the data and actions, which are checked during runtime in the work process. The "AUTHORITY-CHECK" command in SAP ABAP is used to verify whether a user has the necessary authorization for performing a specific action, such as running a transaction, updating a table, or accessing specific data. It checks the user's authorizations against specified authorization objects and their fields.

If the user context contains all required authorizations for the checks (return code = 0), the data and actions are processed, and the user can move to the next screen.

Even if just one authorization is missing, the data and actions are not processed, and the user receives a message that their authorizations are insufficient. The value of the return code controls this step. In this case, the value of the return code is not equal to 0.

Flowchart: SAPGUI to Screen, then to AUTHORITY-CHECK. User Context is checked. If Ok, it moves to Processing. If not Ok, it goes to Error Message.

SAP uses a positive authorization concept for these systems: all authorizations are permissions. There are no authorizations for prohibiting. Everything that is not explicitly allowed is forbidden.

Role Maintenance - Menus and Authorizations

Administrators use the role maintenance tool (transaction PFCG) to maintain and manage roles within an SAP system. Role maintenance simplifies the creation of authorizations and their assignment to users. In role maintenance, transactions and applications required for business use are assigned to the role. In addition, role maintenance creates authorizations with the required field values for the authorization objects checked in the selected transactions and applications.

From role maintenance, you can assign a role to various users. Changes to a role, therefore, influence multiple users.

You can assign a user to various roles from SU01, the user maintenance tool discussed in the previous lesson.

Image depicts a software interface for defining functions, adjusting menu structures, linking web resources, and generating reports. On the right, a detailed tree hierarchy menu shows change and reverse vendor documents.

The user menu comprises role menu(s) and contains entries assigned to the user through the roles. Examples of such entries include transactions, URLs, and reports.

Select and change functions by adjusting the menu tree for the individual roles, as required. You can also insert or delete transactions into or from the tree structure.

You can integrate reports by choosing the Report function in the dropdown menu of the Insert push button. In this case, role maintenance creates transaction codes (if they do not already exist) with which the reports can be called.

By choosing the function Web address or file in the dropdown menu of the Insert push button, you can add internet addresses or links to files (such as tables or text files). When integrating files, you must use storage paths instead of URLs. You can also specify Business Warehouse (BW) Web Reports and links to external mail systems and the Knowledge Warehouse (KW).

You can create, move, delete, and rename directories and subdirectories as required in the change menus. You can also use the drag-and-drop function in role maintenance.

Two screenshots showing the process of generating an authorization profile in a software application. The left image shows role details, and the right image displays various authorization settings.

Role maintenance automatically creates the authorizations associated with the transactions specified in the menu tree. However, all authorization values must be manually checked and adjusted, if required, per the actual requirements and authorities. The system administrator and the appropriate user department are responsible for this task.

Maintenance is not carried out directly in the field but via the Organizational Levels push button (CTRL+F8) when using organizational levels.

Choose the Authorizations tab page and then choose Display Authorization Data or the Change Authorization push button, depending on the maintenance mode. Then, check the scope and contents of the authorizations.

If the system has proposed these authorizations, a green traffic light in the authorization overview indicates that role maintenance has supplied at least one proposal for each authorization field.

A yellow traffic light indicates that the authorization must be manually maintained after it has been created. Role maintenance does not provide a default value for the authorization, and it cannot determine whether data access should only be read or read and write when accessing files.

Some fields appear in many authorizations. Therefore, several essential fields, such as the company code, are combined into organizational levels. If you maintain an entry for the organizational level using the Organizational Levels push button, you can then maintain all the fields that appear there in one go. A red traffic light indicates an unmaintained organizational level.

When all authorizations are maintained as required, the authorization profile can be generated by choosing Generate. After creation, this name cannot be changed. The authorizations are combined into profiles. The profiles must be entered in the user master record (by the role maintenance) for the authorizations to take effect for the user. This is called user master record comparison.

Users and Roles

Users are assigned to roles in the role maintenance transaction (transaction PFCG) or the user maintenance transaction (transaction SU01). Within SU01, by selecting the User tab page, the user IDs assignments are maintained. When selecting user IDs, the system uses the current date as the start of the validity period of the assignment and sets 31.12.9999 as the end date, by default. However, both the start and end validity dates can be changed as per business requirement.

Diagram shows four roles each connected to a person using a computer. Single Role 1 and Single Role 2 connect to the same person. Single Role 3 connects to another person. Single Role 4 connects to a third person.

Users can be linked to more than one role. This can be useful if some activities, such as printing, are permissible across roles.

The assignment of roles to users does not automatically grant them the corresponding authorizations. To assign the authorizations, you must perform a user master record comparison, during which the profiles assigned to the roles are entered in the user master record.

User Master Record Comparison

A user master record comparison determines whether authorization profiles can be added or removed from the current user based on their current or updated role assignments. During the comparison, profiles are added to a user master record due to newly added roles. If role assignments are manually or time-dependently removed, the corresponding authorization profiles are deleted from the user master record.

The comparison can be performed individually for each role during maintenance by selecting User Comparisonfrom the User tab page. In the dialog box that the system displays, choose Complete comparison.

Diagram illustrating an Authorization Profile process with User Comparison to verify access. Three user icons with computers are connected by arrows and keys, representing the authorization checks.

If multiple role assignments are to be updated, you can perform a corresponding comparison in role maintenance by choosing Utilities → Mass comparison (transaction PFUD). You can specify the desired roles individually or update all assignments by entering the asterisk (*) character.

You can also activate the periodic user master record comparison in role maintenance by choosing Utilities → Mass comparison. Select the Schedule or check job for the complete reconciliation option. The system then displays a search window for the background job PFCG_TIME_DEPENDENCY. You can create a new one if it does not find a corresponding job. The default value is that the comparison of all user master records occurs once daily.

Assign a Role

In the following exercise you will learn how to assign a role to a SAP Fiori Launchpad user.

ExerciseStart Exercise

Summary

You can now describe the authorization concept for the On-Premise/Private cloud and implement ABAP roles.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn