Authorization Concept

Authorization ---- permission or privileges (Inside system)

Authentication --- Identity check (User Id/ Password)

(Authentication will be bit week with User Id’s & Password so in feature SAP may come up with
advanced Identity check like finger print, Iris scan etc which are more secure

 Authorization is identified by authorization fields and authorization objects.

Authorization object is a group of 10 Authorization fields max.

Object class reveals area of the Authorization Objects.

Authorization object
Authorization Field 1 Value 1

Authorization Field 2 Value 2

. .

. .

. .

Authorization Field Value

10 10
SU21 Tcode for Authorization objects
Ex

HR Member

Appraisals – T1 (Tcode) – Authorization object 1

Recruitment – T2 (Tcode) -- Authorization object 2

Payrolls - T3 (Tcode) - Authorization object 3

Tcode :- Tcode stands for Transation code i.e program. Tcode acts as a shortcut to program.
Below activities are performed under SU01 Tcode.

We found below Authorization object related to Tcode SU01 in SAP by Using SU24.

To create user: S_USER_GRP

To assign roles to user: S_USER_AGR

To assign profiles to user: S_USER_PRO

Role1: SU01+S_USER_GRP, S_USER_AGR --- User cannot assign profiles to another user.

Role2: SU01+S_USER_AGR, S_USER_POR - User cannot create other users.

Role3: SU01+ No objects -- User cannot perform any activity under SU01.

Note:- Necessary Authorization object required for a particular Tcode have been linked with the
Tcode under SU24.

1) Sales order creation – VA01

2) Printer to print docs – SP01
3) See my payroll ---PA30

Now we have to pull the Authorization related to these Tcodes from SU24.

Role: 3 Tcodes+ Authorization objects related to these 3 Tcodes.

Note: We cannot assign Tcodes or Authorization objects directly to user. Hence we are placing
them under a role and then the role is assigned to user.
Authorization objects for VA01

Authorization objects for SP01

Authorization objects for PA30

TCode: TCode stands for transaction code i.e Program. TCode acts as a shortcut to program.

SE93 – Tcode maintenance (Create, Modify and display the TCode)

SA38 – To execute program

SE38 – To maintain program --- (Create, Modify, delete & execute the program)
 Profiles concept

PFCG - Profile Generator

Profiles are of 2 Types

1)Standard (which comes along with installation)

2) Generator (through roles)

- Standard Profiles can be assigned to user directly

- Generated profiles cannot be assigned to user directly.

SAP recommends never assign standard profiles to user. As they give extra access.

Hence we have to assign roles to user which in turn assigns the generated profiles to user.

Generated profiles with T alphabet.

Role administration

Role – A Group of T-Codes and its related Authorization.

Create the necessary roles for each and every team in the project.
 Following teams are there in the project

 Finance
 HR
 Basis
 SD
 MM
 ABAP
 Security

Ex :- HR team performs below activities

 Personnel administration – PA20, PA30, PA40.

 Organizational management – PO10, PO13, PPOME.
 Payroll

Roles are categorized as 2

Technical/Support Roles – Support users

Functional / Business Roles – End user or business user.

Role matrix
Information gathered from all technical teams regarding the roles and the types of roles and
access they needed.
With in the Business roles like ex SALES department there can be different levels of
employees like clerk, Supervisor, Manager, SR Manager.

Role creation / Modification process:-

1) Change request (CR) form has to be filled by the respective technical team.
2) That has to be approved by CAB (change advisory board).
3) Once approved the request comes to security and we create roles.

PFCCG : Profile generator .

Role naming convention

Types of roles

1) Single (X)
2) Composite(Y)
3) Derived (Z)

Role length 30 Char max.

Role name should contain following data.

- Role type

Business process or functional module – FI, HR, SD……

Sub process – HR (PA, PD, Payroll) FI (AP, GL, FA)

Extra information  Client, Project or Branch or Business name.

PFCG
Description tab : Just fill the LONGTEXT with info like why, When who is creating role.

Click on save.

Menu Tab : Fill the list of T-Codes here.

Authorization Tab : Go to Change authorization data and generate profile.
Open a new window and execute SU24.
Objects for SE38 are shown there.
User Tab: Indicates the list of users assigned to this role.

Just create a test user and assign the newly created role and check in this role.

Now under user tab you are able to see assigned user.

If you add any user under this tab then automatically this role will be assigned to that User.

Personalization: Do not touch it.

If we click on Hills and sun Icon which is shown in below you can get Authorization object Details like
Auth object belongs to which TCode.
Once you click on it you will get results as below.

Just compare the below SC with the color coding

AAAB is Object class

S_Tcode is Authorization Objects.

T-B7970005… is a Authorizations.

In the Activity and below some values are there those are Authorization flds.

Traffic lights Concept

For better understanding this concept lets add new T_Code in the existing T_Code.
Now goto Authorizations Tab and click Change Authorization Data.

Now we can see some new Authorization Objects are coming in to it.

These are nothing but newly added T_Code PFCG.

Once we click on Transactions for an Authorization Object (Hills and SUN).

We will get the details of Authorization Object belongs to which T_Code.

Traffic lights

Green – All Authorization fields are filled or maintained with values.

Yellow – At least one Authorization field is not maintained.

Red- Unmaintained Organizational levels.

In our role also we have 3 Different colors.

Organizational field

Authorization object contains Authorization fields.

Authorization fields are 2 Types.

Normal Field – Ex :- Activity, Role name .

Org Field – The field which represents organization Ex: Plant, Cost centor.

Org Field value – meaning varies from org to org specific to Organization.

Ex: BMW - plant: 100 (UK Plant)

Walmart - Plant:100 (USA Branch)

Where as, Normal field value is universal

Ex: Activity 03 (Display)

Org field values are maintained in organizational levels tab in Authorization Tab

Normal field values can be directly maintained.

If we click on Organizational levels

The plan version is empty

Status of Authorization object

Standard – Represents SAP default standard values pulled from SU24 for TCode added in menu.

Maintained – Represents blank fields have been maintained with values.

In below SC Authorization Group is empty.

We maintained Some value in Authorization group and it’s turned in to Maintained in below SC.

(Perversely it was standard now it’s turned in to Maintained after we Added NC in Authorization
group)
Changed – Represents SAP default values has been modified.

On the above SC Activity Authorization field values are 01,02,03,04,21,22,36,64,DL,UL

But we are going to uncheck the 01,02 Authorization field values as like below SC

After saving it.

Below screen we are able to see it’s changed in to Changed

(Previously it’s in standard after we changing Authorization field values now it turn changed)
Manually – Represents Authorization

In the below SC Authorization object are came from SU24 with the help of TCodes.

If we click on manually then we are able add Authorization object (added S_GUI )Manually as like
below SC.
Now in below SC S_GUI is added and it’s showing Manually

Deleting Authorization objects from role

To delete the Authorization object below conditions, have to be satisfied.

1) Authorization object should be Deactivated

To deactivate we have click on Inactive as like below SC

Once it got Deactivated then we can Delete but it has to satisfy another condition

2) Authorization object status should be either manually or changed

If it’s in standard or maintained it’s not Allow us to delate.

Ex If we tried to delete standard we will get below popup.