SAP Basic Authorization Mangement
Table of Contents
- 1 SAP Basic Authorization Mangement
Roles and Authorizations allow the users to access SAP Standard as well as custom Transactions in a secure way.
SAP provides certain set of generic Standard roles for different modules and different scenarios.
We can also define user defined roles based on the Project scenario keeping below concept in mind:
There are basically two types of Roles:
- Master Roles – With Transactions, Authorization Objects and with all organizational level management.
- Derived Roles –With organizational level management and Transactions and Authorization Object copied from Master Role.
Components of Role
A Master Role or a Derived Role is having below components inside it:
- Transaction Codes
- Authorization Objects
- Organization level
SAP Transaction codes (Standard or custom)
Profiles are the objects that actually store the authorization data and Roles are the Container that contains the profile authorization data.
Objects that define the relation between different fields and also helps in restricting/ allowing the values of that particular field (For ex: Authorization object I_VORG_ORD: PM: Business Operation for Orders, contains relation between fields: AUFART = Order Type and BETRVORG Business Transaction).
Authorization objects are actually defined in programs that are executed for any particular transactions. We can also create custom authorization objects for any particular transaction (generally custom transaction).
This defines actually the organizational elements in SAP for ex: Company Code, Plant, Planning Plant, Purchase organization, Sales organization, Work Centers, etc.
Suppose we take an example of creating a role for Maintenance In-charges in a particular industry who are responsible for different maintenance plants. Consider the Scenario as under:
Company = C1, Maintenance Plants = M1, M2, M3 and M4 (Hence assuming 4 Shift In-charges).
As mentioned before, Maintenance In-charge will have rights to following transactions – IW22, IW23, IW28, IW29, IW31, IW32, IW38 and IW39 but he will not have rights to release the Maintenance order.
For more information, you can go help sap
Checking role name of transaction code and user name ?
Checking all roles Z* of user “FID05″ that assigned tcode FI12. Go to transaction code SUIM
Choose Roles -> Roles by Complex Selection Criteria
Enter Role value prefer “Z*” to search all z role ( ignore if you using standard role of SAP system)
Check “All roles regardless of user assignment”
Enter user name ” FID05″ or several user names ( using button to paste from clipboard)
This is result. You can see Role name of transaction code.
Similarly, you can check Profile, Authorization, Authorization Objects, Transaction, …. etc …. by several parameters.
Add new transaction code into exist role
Go to transaction code PFCG -> Enter Role Z_* -> Click Change
Click on tab Menu -> Click button Transaction -> Enter tcode, click Assign Transactions -> Save
Go to tab Authorizations -> Click button Change Authorization Data
Need Choose Authorization need change -> go to object of authorization. -> change by click button and enter value.
Then click button generate -> click Save to complete.
Note: can use button Manually to add a authorization object manually if it is necessary.
Then go to tab User à Click button User Comparison to complete.
Save role and exit to finish.
Go to tcode SU53
Then click button Stored Checks -> Enter User name need cheking -> Click Execute to check.
If result like image as below when user executed transaction code ( see note as below )
Note: this is mandatory, user name need checking must execute new transaction code before you checking authorization.
-> Successfully implement authorization.
These are sap basic authorization management. Advance content will coming soon. Subcribe my site to get new ar
For more informations, go to home page